Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[LOTP] Bash (wut ?!) #29

Closed
tr4l opened this issue Apr 17, 2024 · 5 comments
Closed

[LOTP] Bash (wut ?!) #29

tr4l opened this issue Apr 17, 2024 · 5 comments
Assignees
Labels
good first issue Good for newcomers idea

Comments

@tr4l
Copy link

tr4l commented Apr 17, 2024

Bash, but with a twist

Bash in itself is used for executing stuff, so this is somehow a "normal" usage, but with a twist

Configuration files

.bashrc
.initrc

Env variable

BASH_ENV
BASH_FUNC
PROMPT_COMMAND (only interactive, doesn't work)

Documentation

https://www.gnu.org/software/bash/manual/bash.html#Bash-Variables

Github example

name: On issue with debug
on:
  issue_comment: 
    types: [created, edited]

jobs:
  command_dispatch:
    name: Debug
    runs-on: ubuntu-latest
    permissions:
      # keep this limited to read permissions for the content only!
      contents: write
    steps:
      - name: Debug
        run: |
          echo "Injectable wrokflow"

      - name: Debug 2
        run: |
          echo "----------------"
          echo "Nothing: safe workflow"
          echo "----------------"

In this example we can inject a bashrc, as bash is the default shell on runner.
Some runner use the following default command for shell

/usr/bin/bash --noprofile --norc -e -o pipefail "/tmp/computed/step.sh"

This example will not run any bashrc or initrc because of the --noprofile and -norc.

However, this will execute the file defined in BASH_ENV, so file file write + env injection, the second step can be injected, without anything visible that step that indicate an injection.

Additional notes

This is the default on github action, so yeah a lot of potential target

@tr4l tr4l added the idea label Apr 17, 2024
@tr4l
Copy link
Author

tr4l commented Aug 30, 2024 via email

@fproulx-boostsecurity
Copy link
Contributor

An actual vuln GHSA GHSA-h52q-xhg2-6jw8

@AdnaneKhan
Copy link

An actual vuln GHSA GHSA-h52q-xhg2-6jw8

Hey that’s pretty cool! GHSL has been doing some amazing work reporting issues to OSS projects.

@fproulx-boostsecurity
Copy link
Contributor

@fproulx-boostsecurity fproulx-boostsecurity added the good first issue Good for newcomers label Nov 19, 2024
@Talgarr Talgarr self-assigned this Feb 7, 2025
@Talgarr Talgarr mentioned this issue Feb 7, 2025
@Talgarr Talgarr closed this as completed Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers idea
Projects
None yet
Development

No branches or pull requests

4 participants