Hi Thank you for the information. Good to know that I'm not the only one that have seen this problem.
One can of course argue that the attack vector is a little odd. That is a setuid binary making system. I thought system was safe enough, but now I have learnt otherwise. Anyway I do not think disabling PS4 variable would hurt much. Or do anyone see that it is useful to set to something else than +? Maybe we can allow PS4 to be expanded to some extent, but not allow it to be expanded to execute commands? // Ola On 24 October 2016 at 18:37, <up201407...@alunos.dcc.fc.up.pt> wrote: > Quoting "Ola Lundqvist" <o...@inguza.com>: > > This is known. > > I "complained" at the time, as it can be seen here: > https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html > > > > Version: all (see note below) >> Hardware: all >> Operating system: Debian GNU Linux (but all should be affected) >> Compiler: gcc >> >> Hi >> >> In CVE-2016-7543 a problem was reported that it is possible to privilege >> escalate to root. >> The correction as seen here >> http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html >> is not complete. Well it do prevent privilege escalation to root, but it >> is >> possible to escalate to any other user and that may be bad too. >> >> The problem has also been reported (by me) in Debian as you can see here: >> http://bugs.debian.org/841856 >> >> I have attached a tar file with exploit code. The exploit code is used >> like >> this: >> make >> sudo make root >> make test >> >> Test 1 is the exploit for CVE-2016-7543 >> Test 2 is the exploit for this problem >> Test 3 is just a reference test. >> >> The proposed patch essentially disable the whole PS4 variable support for >> all users (not only root as the patch was for CVE-2016-7543. Please let me >> know if you have a better idea on how to handle this. >> >> Version note: The attached correction is made on a 4.2 system with a patch >> for CVE-2016-7543. >> However it should apply on 4.4 as well. >> >> Let me know if you need any further details. >> >> Best regards >> >> // Ola >> >> -- >> --- Inguza Technology AB --- MSc in Information Technology ---- >> / o...@inguza.com Folkebogatan 26 \ >> | o...@debian.org 654 68 KARLSTAD | >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 | >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> --------------------------------------------------------------- >> >> > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
