0

I'm researching the possibility that modifiable environment variables could have security implications. I mounted all writable volumes with noexec. LD_PRELOAD could be an attack surface, but I don't think it will have any effect because of noexec.

Is there anything more to consider in this situation? If possible, how can code (whether binary or shell script) be injected and executed?

OS is Linux. Note that, the EnvironmentFile of systemd is used.

Defenced:

  • shared-library from directories with noexec set cannot be loaded. So, Attackers cannot use LD_PRELOAD.

systemd service :

[Service]
ExecStart=/my-program.sh
EnvironmentFile=/writable-directory/env.txt

/my-program.sh :

#!/bin/bash
some scripts...
openssl...
Improve this question
6
  • @SteffenUllrich I also prevented loading shared library inside noexec. Commented Jul 17, 2023 at 15:22
  • Isn't what you ask depending on what program you execute? LD_PRELOAD is for the generic program loader only, but programs might use environment variables for a variety of things which lead to attacker controlled code execution. For example PERL5LIB allows you define where Perl is looking for its modules - and it does not care about noexec. Similar with PYTHONPATH etc Commented Jul 17, 2023 at 15:30
  • The program I made is a bash script. I don't use ruby/perl, etc. Programs called in the script are all programs written in C (openssl and etc). Commented Jul 17, 2023 at 15:33
  • Note that, the EnvironmentFile of systemd is used. Commented Jul 17, 2023 at 16:00
  • Please don't add all the relevant information as separate comments - edit your question instead to include every relevant detail. Also, "openssl and etc." is too unspecific - what exactly is "etc." Commented Jul 17, 2023 at 16:04

2 Answers 2

Reset to default
1

It used to be possible to define bash functions using environment variables, as this was the method the shell used to pass user-defined functions down to sub-shells (an environment variable with a specific value format). This caused a vulnerability known as Shellshock, which has been fixed and won't work unless the machine is running an old bash version. See https://unix.stackexchange.com/questions/233091/bash-functions-in-shell-variables for an example.

As far as I know, there is not currently any way to achieve code execution via environment variables using only the shell. However, there are many programs which allow using environment variables as a substitute for command-line flags or configuration settings in a dotfile. Such programs could be vulnerable to manipulated environment variables, if they have options which cause other programs to be invoked. Similarly, there are some environment variables whose purpose is to identify a common program to execute; perhaps the best known is the EDITOR variable, which is used by many different programs to invoke your preferred editor when e.g. creating a git commit message; that variable (or others like it, such as PAGER) can be set to arbitrary commands and potentially cause those commands to be executed when a different, seemingly-innocuous command (such a git commit or man) is executed.

Improve this answer
0

Yes, there are a few ways in which environment variables can lead to code exec. You mention LD_PRELOAD and there is of course PATH that could alter which binaries are run.

However scripting languages aren't affected by noexec. So a user/attacker could write to /writable-directory/code_exec.sh and run /bin/sh /writable-directory/code_exec.sh to execute commands of their choosing.

This can be combined with environment variables such as PERL5OPT, PERL5LIB, RUBYOPT, BASH_FUNC*, etc to gain code execution on a noexec volume. For examples on how these and other environment variables can lead to code take a look at: https://www.elttam.com/blog/env/#content

Improve this answer
2
  • If an attacker can invoke /bin/sh with arbitrary arguments at all, it's already game over; the -c flag exists, after all, plus most machines will have tools that enable setting up a reverse shell for interactive access. This question makes no sense if you assume the attacker can do that. Commented Jul 19, 2023 at 1:58
  • The question lacks enough details not to suggest it can't be done, or that argument injection couldn't occur from a bash script parsing env.txt. I just tried to give a comprehensive answer as the question does specify scripts executing alongside the use of noexec. Commented Jul 19, 2023 at 2:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.