Re: Understanding Interpreter Spoofing

[Alex fxmbsw7 Ratchev]

good one about that shebangg

On Sat, Dec 4, 2021, 21:06 Kerin Millar <kfm@plushkava.net> wrote:

> On Sat, 04 Dec 2021 18:08:12 +0000
> iam_chunky_pie <iam_chunky_pie@protonmail.com> wrote:
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> >
> > On Saturday, December 4th, 2021 at 7:31 AM, Kerin Millar <
> kfm@plushkava.net> wrote:
> >
> > > On Sat, 04 Dec 2021 04:24:17 +0000
> > >
> > > iam_chunky_pie via help-bash@gnu.org wrote:
> > >
> > > > Hello everyone,
> > >
> > > Hello.
> > >
> > > > Noob here. I'm teaching myself bash and have come to a section
> regarding interpreter spoofing. I feel confident (but could be wrong,) I
> understand the concept based on what I've earned (I'll spare everyone a
> review.)
> > > >
> > > > However, I'm not able to reproduce the spoof? I've googled
> "interpreter spoofing," "setuid root spoofing attacks" but all I get in
> return is the theory on what it is and how to avoid it. Has this
> vulnerability been fixed in bash or in Linux in general. I believe while
> trying to find an answer on my own, I saw something to that effect that
> suid and sguid are basically not allowed anymore in Linux and thought maybe
> something similar applied to how the shell uses that magic line to run
> scripts. Below is the sample script I tried to spoof and the commands I ran
> to try to reproduce the spoof.
> > >
> > > Indeed, the Linux kernel ignores the setuid and setgid bits for
> binaries that are handled by the BINFMT_SCRIPT loader. See
> https://www.in-ulm.de/~mascheck/various/shebang/#setuid. The shell
> doesn't use the shebang at all. Instead, it is treated as a comment.
> >
> > > Kerin Millar
> >
> > Sorry still getting used to this style of posting and didn't notice your
> comment with-in my original email body.  So if I understood you correctly,
> because the shebang isn't used at all and only treated as a comment (when
> it comes to executing scripts at least), this interpreter spoofing isn't
> something that can be done anymore.  (At least as it related to the
> original attack theory?)
>
> The BINFMT_SCRIPT loader requires that the first two bytes be 0x23, 0x21
> ("#!"). What remains is treated as the path of the interpreter and,
> potentially, one argument to be conveyed to the interpreter. Whether it
> discerns this optional argument or not, the pathname of the script is
> always the final argument. See
> https://github.com/torvalds/linux/blob/master/fs/binfmt_script.c for the
> exact methodology. From this, you may conclude that the name of the script
> has no bearing on the how the path of the interpreter is determined.
>
> That being said, it is possible to name and invoke the script in such a
> way that its name is parsed by the specified interpreter as if it had been
> intended as an option argument. I posted an example in
> https://lists.gnu.org/archive/html/bug-bash/2021-11/msg00152.html. As
> concerns bash, I can't think of any way in which this would count as an
> exploit. At any rate, this eventuality can be defended against by defining
> the shebang as "#!/bin/bash --".
>
> --
> Kerin Millar
>
>