[LOTP] Bash (wut ?!)

[tr4l]

Bash, but with a twist

Bash in itself is used for executing stuff, so this is somehow a "normal" usage, but with a twist

Configuration files

.bashrc
.initrc

Env variable

BASH_ENV
PROMPT_COMMAND (only interactive, doesn't work)

Documentation

https://www.gnu.org/software/bash/manual/bash.html#Bash-Variables

Github example

name: On issue with debug
on:
  issue_comment: 
    types: [created, edited]

jobs:
  command_dispatch:
    name: Debug
    runs-on: ubuntu-latest
    permissions:
      # keep this limited to read permissions for the content only!
      contents: write
    steps:
      - name: Debug
        run: |
          echo "Injectable wrokflow"

      - name: Debug 2
        run: |
          echo "----------------"
          echo "Nothing: safe workflow"
          echo "----------------"

In this example we can inject a bashrc, as bash is the default shell on runner. Some runner use the following default command for shell

/usr/bin/bash --noprofile --norc -e -o pipefail "/tmp/computed/step.sh"

This example will not run any bashrc or initrc because of the --noprofile and -norc.

However, this will execute the file defined in BASH_ENV, so file file write + env injection, the second step can be injected, without anything visible that step that indicate an injection.

Additional notes

This is the default on github action, so yeah a lot of potential target