Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

[Hanno Böck <hanno () hboeck de>]

On Fri, 26 Sep 2014 09:54:40 +0100
"Mark R Bannister" <mark () proseconsulting co uk> wrote:

> I can't see this being a problem for Apache custom headers (the
> variable name is turned to uppercase and prefixed by HTTP_), nor sudo
> commands if env_reset is on (the default), but this continues to be a
> major vulnerability for setuid/setgid scripts (S_ISUID or S_ISGID)
> where the environment is preserved.

scripts don't allow setuid. for a reason. It'd open a whole bunch of
security issues.

This could be an issue if you have a suid binary calling a script.
There are even people writing howtos to do that to circumvent unix
security measures. [1]

I don't know (and haven't tested) if this preserves env, but the point
is: suid binaries shouldn't do stupid things. If they do that's their
fault. There should be extra many security conscious eyes on setuid
bins (we recently saw a memleak in a setuid bin causing trouble
elsewhere [2]).

If you can pass any env var to a suid script and it executes
something else you have a problem no matter what. LD_PRELOAD etc.

[1] http://www.tuxation.com/setuid-on-shell-scripts.html
[2]
http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description: