Shell – Why does “echo os.system(‘/bin/bash’)” work

echopythonrestricted-shell

I was doing a kind of hacking challenge, a part of which found me stuck inside a restricted shell which had very few commands. One of the available commands was echo. After a few hours of banging my head off the wall, I decided to peak at some hints. It turns out that echo os.system('/bin/bash') would break you right out of the restricted shell… it's only after I saw this that I was able to google it, but I haven't found any info on it other than that you can do it in some restricted shell situations. It doesn't work on my terminal when I tried it with zsh and bash… why does this even work? The os.system part looks like Python to me.. Can someone provide me with some background on it? If this is Python, how else can it be used with echo?

Best Answer

This seems to have been an issue that existed in LShell 0.9.15, a restricted shell implemented in python.

The vulnerable function was called check_path(), which was used to check if a user was allowed to access the given path on the command line.

The problem was that this function used eval() as a mean to strip quotes from the command line, and this would happily execute any valid python expression as well.

        for item in line:
            # remove potential quotes
            try:
                item = eval(item)
            except:
                pass

This issue was later fixed in the following commit by replacing the eval() call with a regex substitution: https://github.com/ghantoos/lshell/commit/4e05ac2e9c12142beed0e0fa16331ee0fd7dbd42#diff-edb4dda47bc5b086988a93df2615df6f

Related Solutions

Bash – echo string >> file does not work

Does $OUTPUT_FILE exist? What are its permissions (ls -l $OUTPUT_FILE, getfacl $OUTPUT_FILE)? How many times is the echo "Output file..." executed? (I'd put that one outside the for, but it's your call)?

(I'm suspecting your find ... pipeline doesn't return anything)

Bash – What does “echo (ls)” do in bash

It is essentially a generic syntax error, not specifically related to the ls token. bash uses a yacc parser, which calls a common yyerror() on any problem, Within the resulting error-handling, it proceeds to try to pinpoint the error. The message is coming from this chunk (see source):

  /* If the line of input we're reading is not null, try to find the       
     objectionable token.  First, try to figure out what token the
     parser's complaining about by looking at current_token. */
  if (current_token != 0 && EOF_Reached == 0 && (msg = error_token_from_token (current_token)))
    {
      if (ansic_shouldquote (msg))
    {
      p = ansic_quote (msg, 0, NULL);
      free (msg);
      msg = p;
    }
      parser_error (line_number, _("syntax error near unexpected token `%s'"), msg);
      free (msg);

      if (interactive == 0)
    print_offending_line ();

      last_command_exit_value = parse_and_execute_level ? EX_BADSYNTAX : EX_BADUSAGE;
      return;
    }

In other words, it's already confused by the '(', and having looked-ahead for context is reporting the ls.

A ( would be legal at the beginning of a command, but not embedded. Per manual page:

   Compound Commands                                                       
       A compound command is one of the following:

       (list) list  is  executed in a subshell environment (see COMMAND EXECU‐
              TION ENVIRONMENT below).  Variable assignments and builtin  com‐
              mands  that  affect  the  shell's  environment  do not remain in
              effect after the command completes.  The return  status  is  the
              exit status of list.

Best Answer

Related Solutions

Bash – echo string >> file does not work

Bash – What does “echo (ls)” do in bash

Related Question