Re: Understanding Interpreter Spoofing

[Alex fxmbsw7 Ratchev]

no, cause /bin/bash is not suid

On Sat, Dec 4, 2021, 19:08 iam_chunky_pie <iam_chunky_pie@protonmail.com>
wrote:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Saturday, December 4th, 2021 at 7:31 AM, Kerin Millar <
> kfm@plushkava.net> wrote:
>
> > On Sat, 04 Dec 2021 04:24:17 +0000
> >
> > iam_chunky_pie via help-bash@gnu.org wrote:
> >
> > > Hello everyone,
> >
> > Hello.
> >
> > > Noob here. I'm teaching myself bash and have come to a section
> regarding interpreter spoofing. I feel confident (but could be wrong,) I
> understand the concept based on what I've earned (I'll spare everyone a
> review.)
> > >
> > > However, I'm not able to reproduce the spoof? I've googled
> "interpreter spoofing," "setuid root spoofing attacks" but all I get in
> return is the theory on what it is and how to avoid it. Has this
> vulnerability been fixed in bash or in Linux in general. I believe while
> trying to find an answer on my own, I saw something to that effect that
> suid and sguid are basically not allowed anymore in Linux and thought maybe
> something similar applied to how the shell uses that magic line to run
> scripts. Below is the sample script I tried to spoof and the commands I ran
> to try to reproduce the spoof.
> >
> > Indeed, the Linux kernel ignores the setuid and setgid bits for binaries
> that are handled by the BINFMT_SCRIPT loader. See
> https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell
> doesn't use the shebang at all. Instead, it is treated as a comment.
>
> > Kerin Millar
>
> Sorry still getting used to this style of posting and didn't notice your
> comment with-in my original email body.  So if I understood you correctly,
> because the shebang isn't used at all and only treated as a comment (when
> it comes to executing scripts at least), this interpreter spoofing isn't
> something that can be done anymore.  (At least as it related to the
> original attack theory?)
>
>