[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Understanding Interpreter Spoofing
|
From: |
iam_chunky_pie |
|
Subject: |
Re: Understanding Interpreter Spoofing |
|
Date: |
Sat, 04 Dec 2021 18:08:12 +0000 |
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, December 4th, 2021 at 7:31 AM, Kerin Millar <kfm@plushkava.net>
wrote:
> On Sat, 04 Dec 2021 04:24:17 +0000
>
> iam_chunky_pie via help-bash@gnu.org wrote:
>
> > Hello everyone,
>
> Hello.
>
> > Noob here. I'm teaching myself bash and have come to a section regarding
> > interpreter spoofing. I feel confident (but could be wrong,) I understand
> > the concept based on what I've earned (I'll spare everyone a review.)
> >
> > However, I'm not able to reproduce the spoof? I've googled "interpreter
> > spoofing," "setuid root spoofing attacks" but all I get in return is the
> > theory on what it is and how to avoid it. Has this vulnerability been fixed
> > in bash or in Linux in general. I believe while trying to find an answer on
> > my own, I saw something to that effect that suid and sguid are basically
> > not allowed anymore in Linux and thought maybe something similar applied to
> > how the shell uses that magic line to run scripts. Below is the sample
> > script I tried to spoof and the commands I ran to try to reproduce the
> > spoof.
>
> Indeed, the Linux kernel ignores the setuid and setgid bits for binaries that
> are handled by the BINFMT_SCRIPT loader. See
> https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell doesn't
> use the shebang at all. Instead, it is treated as a comment.
> Kerin Millar
Sorry still getting used to this style of posting and didn't notice your
comment with-in my original email body. So if I understood you correctly,
because the shebang isn't used at all and only treated as a comment (when it
comes to executing scripts at least), this interpreter spoofing isn't something
that can be done anymore. (At least as it related to the original attack
theory?)