Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 4 Jun 2014 11:13:51 +0200
From: Jose Carlos Luna Duran <jose.carlos.luna@...il.com>
To: oss-security@...ts.openwall.com
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, 
	advisories <advisories@...xperts.de>, bugs@...uritytracker.com
Subject: Re: Bug in bash <= 4.3 [security feature bypassed]

In my opinion the drop of privs in bash was mostly a "help" measure
for poorly written setuid programs executing system() calls. I don't
think is the role of bash to do this as the problem that could be
exploited by that would really be in the original program that does
not drop privs before invoking the shell. This has been known for some
time in some circles at least, but as I said the problem would really
be in the non-priv-dropping privileged program, that's why most people
did not really care that much. Last year there was a vuln that is very
much related to this subject:
http://blog.cmpxchg8b.com/2013/08/security-debianisms.html

Correct me if I'm wrong, but even in that case there is another "help"
measure that has been implemented at least in linux kernels > 3.1:
http://lxr.free-electrons.com/source/kernel/sys.c?v=3.1#L628

Therefore setuid calls do not fail anymore even in the case of
existing resource limits for processes (in linux).

But in any case, for the sake of correctness I agree that the
drop_priv code should be fixed (or just completely removed...).

2014-06-03 16:16 GMT+02:00 Hector Marco <hecmargi@....es>:
> Hi everyone,
>
> Recently we discovered a bug in bash. After some time after reporting
> it to bash developers, it has not been fixed.
>
> We think that this is a security issue because in some circumstances
> the bash security feature could be bypassed allowing the bash to be a
> valid target shell in an attack.
>
> We strongly recommend to patch your bash code.
>
> Why don't fix this bug by simple adding mandatory "if" clause ?
> Any comments about this issue are welcomed.
>
>
> Details at:
> http://hmarco.org/bugs/bash_4.3-setuid-bug.html
>
>
>
> Thanks you,
>
> Hector Marco
> http://hmarco.org



-- 
Jose Carlos Luna Duran
Network Software Engineering.
Jose.Carlos.Luna@...il.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.