[lug] replacing login shell

Jonathan Briggs zlynx at acm.org
Tue Jun 25 14:53:08 MDT 2002


On Tue, 2002-06-25 at 14:30, Hugh Brown wrote:
> What sorts of things can I try to break it (Jonathan mentioned the need
> for a special telnet binary)?  I want to test all avenues for getting
> out to a shell  (e.g. I got to a telnet> prompt and did a !/bin/sh date
> but didn't get anything but another login prompt on somehost).

Try ^]!date

That should run the date command locally.

Also try:
^]!/bin/sh -norc -noprofile

And:
^]!/bin/sh -c date

And:
^]^Z
Which should suspend the telnet session and leave you in a local shell.

In my version of telnet, it looks like you could run telnet -E.  The man
page claims that -E will prevent using an escape character like ^].

If you are giving people ssh access, be aware that they can use ssh to
run commands on the ssh server like this: ssh [server] cat /etc/passwd
Or: ssh [server] /bin/sh -norc -noprofile -i

If you use RSA/DSA key authentication with ssh and disable passwords,
you can use the authorized_keys file to define a command to be run for
that login key.  Doing this will prevent the users from running anything
else with ssh.
-- 
Jonathan Briggs
jbriggs at esoft.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20020625/b5d87a50/attachment.pgp>


More information about the LUG mailing list