We have:
- an IBM HMC v7 (Linux x86 based management box) with a restricted Bash shell
- hscroot, a user in this shell with no root privileges
- a set of custom programs and a few common GNU tools, and the usual bash builtins
- a few restrictions in order to harden the shell (restricted/secure variables, wrapper scripts etc)
- ssh/scp (locally available)
- connected to a public and an isolated network, usually no physical access
- writable filesystems, notably $HOME and /tmp
On the other end, we have:
- an IBM POWER FSP (a Linux ppc based hardware supervisor device)
- the only access is a browser based (SSL) command line interface on the aforementioned isolated network (HMC - ASM)
- you can run any command with root privileges via cgi on the browser commandline, except interactive ones
- the shell is busybox
- iptables is set up
- lighttpd is serving the web interface contents
- there are no server daemons or client programs offering file transfer, except the Web server
The goal:
- get a copy of the running hardware supervisor's filesystem contents, so it can be examined safely, without any risk on the actual hardware it manages, and with the least possible changes to the current configuration
The process:
- find a way of breaking out of the restricted shell on the HMC, leaving no trace if possible (export HISTFILE=/dev/null is more than enough)
- get/set the necessary privileges for the browser based command line (get root) - there is an official way so no need for force
- find a way of getting the data off the FSP - the trivial way is the web server
- index the target filesystem and create an html file out of it
- put the html file in the web server's content directory, along with a cross-FS symlink (the embedded web server is not very sophisticated)
- after putting a suitable binary (wget, for example) on the HMC, simpy download the whole FS content through https with HTTP GET
- finally, move the downloaded content off the HMC (making sure you delete it afterwards)
Notes:
The SSH access is optional and is not always active, but you can open a Java based terminal if you are accessing the HMC remote web interface.
I'm sure the publicly downloadable FSP "firmware" images may also be extracted somehow.
This way, 'only' creating/editing a file and creating a link is enough for the goal. These can be removed later.
Update 2011-05-11
I actually named what components I was writing about, after receiving the confirmation that the rbash/somecommand 'backdoor' will not be fixed.
Of course you don't need the HMC just for getting data off the FSP if you can put another machine on the HMC private network.