oss-sec mailing list archives
Re: Healing the bash fork
From: Simon McVittie <smcv () debian org>
Date: Tue, 30 Sep 2014 16:15:44 +0100
On 30/09/14 15:27, Michal Zalewski wrote:
Florian's prefix/suffix patch is not going to protect against the setuid/setgid exploit that I reported to this list last week.
...
http://technicalprose.blogspot.co.uk/2014/09/shellshock-bug-third-vulnerability.htmlYou do realize that your setuid program is patently unsafe, right? Say: $ echo -e '#!/bin/sh\necho pwn3d' >date;chmod 755 date;PATH=.:$PWD ./setuid_program pwn3d
Other ways to attack this "simple, easy and wrong" setuid program include LD_PRELOAD and, depending on implementation details, any of: LD_LIBRARY_PATH (if sh(1) and/or date(1) is dynamically-linked) ENV (if sh(1) is ksh, at least according to sudo source code) BASH_ENV (if sh(1) is bash) PYTHONPATH (if you replace date(1) with any Python script) PERL5LIB (if you replace date(1) with any Perl script) DBUS_SESSION_BUS_ADDRESS (if you replace date(1) with something that uses D-Bus) ... and that's without getting into odd corners of Unix which are not directly executed, but can be used to construct a more subtle vulnerability (e.g. IFS). Several of these are "disarmed" if ruid != euid (e.g. D-Bus, to address CVE-2012-3524), but by calling setresuid() you lost that protection. If you're going to do that, there is little that libraries or executables can do to save you. sudo attempts to have a comprehensive blacklist (plugins/sudoers/env.c in my copy) but IMO, its length demonstrates that any blacklist-based approach is unsustainable. I continue to believe that any setuid program that executes non-trivial code without whitelist-filtering its environment is seriously flawed; and sh(1), as invoked by system(), is certainly non-trivial. Or to put it another way, executables that make themselves a privilege boundary can't trust what they receive from outside the boundary, and need to take responsibility for passing a sanitized version to things inside the boundary - doubly so if the things inside the boundary have no way to detect that a privilege boundary was ever crossed. S
Current thread:
- Re: Healing the bash fork Mark R Bannister (Sep 30)
- <Possible follow-ups>
- Re: Healing the bash fork Sven Kieske (Sep 30)
- Re: Healing the bash fork Mark R Bannister (Sep 30)
- Re: Healing the bash fork Sebastian Krahmer (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Healing the bash fork Sebastian Krahmer (Sep 30)
- Re: Healing the bash fork John Haxby (Sep 30)
- Re: Healing the bash fork Ed Prevost (Sep 30)
- Re: Healing the bash fork Rich Felker (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Simon McVittie (Sep 30)
- Re: Healing the bash fork Mark R Bannister (Sep 30)
- Re: Healing the bash fork Tavis Ormandy (Sep 30)
- Re: Healing the bash fork Ed Prevost (Sep 30)
- Re: Healing the bash fork Zach Wikholm (Sep 30)
- Re: Healing the bash fork David A. Wheeler (Sep 30)
- Re: Healing the bash fork Michal Zalewski (Sep 30)
- Re: Healing the bash fork Stuart D. Gathman (Sep 30)
- Re: Healing the bash fork Ed Prevost (Sep 30)