Bug#841856: Correction of CVE-2016-7543 is incomplete
Hi Thank you for the information. Good to know that I'm not the only one that have seen this problem. One can of course argue that the attack vector is a little odd. That is a setuid binary making system. I thought system was safe enough, but now I have learnt otherwise. Anyway I do not think disabling PS4 variable would hurt much. Or do anyone see that it is useful to set to something else than +? Maybe we can allow PS4 to be expanded to some extent, but not allow it to be expanded to execute commands? // Ola On 24 October 2016 at 18:37,wrote: > Quoting "Ola Lundqvist" : > > This is known. > > I "complained" at the time, as it can be seen here: > https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html > > > > Version: all (see note below) >> Hardware: all >> Operating system: Debian GNU Linux (but all should be affected) >> Compiler: gcc >> >> Hi >> >> In CVE-2016-7543 a problem was reported that it is possible to privilege >> escalate to root. >> The correction as seen here >> http://lists.gnu.org/archive/html/bug-bash/2016-10/msg9.html >> is not complete. Well it do prevent privilege escalation to root, but it >> is >> possible to escalate to any other user and that may be bad too. >> >> The problem has also been reported (by me) in Debian as you can see here: >> http://bugs.debian.org/841856 >> >> I have attached a tar file with exploit code. The exploit code is used >> like >> this: >> make >> sudo make root >> make test >> >> Test 1 is the exploit for CVE-2016-7543 >> Test 2 is the exploit for this problem >> Test 3 is just a reference test. >> >> The proposed patch essentially disable the whole PS4 variable support for >> all users (not only root as the patch was for CVE-2016-7543. Please let me >> know if you have a better idea on how to handle this. >> >> Version note: The attached correction is made on a 4.2 system with a patch >> for CVE-2016-7543. >> However it should apply on 4.4 as well. >> >> Let me know if you need any further details. >> >> Best regards >> >> // Ola >> >> -- >> --- Inguza Technology AB --- MSc in Information Technology >> / o...@inguza.comFolkebogatan 26\ >> | o...@debian.org 654 68 KARLSTAD| >> | http://inguza.com/Mobile: +46 (0)70-332 1551 | >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> --- >> >> > > > > This message was sent using IMP, the Internet Messaging Program. > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Bug#841856: Correction of CVE-2016-7543 is incomplete
Quoting "Ola Lundqvist": This is known. I "complained" at the time, as it can be seen here: https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html Version: all (see note below) Hardware: all Operating system: Debian GNU Linux (but all should be affected) Compiler: gcc Hi In CVE-2016-7543 a problem was reported that it is possible to privilege escalate to root. The correction as seen here http://lists.gnu.org/archive/html/bug-bash/2016-10/msg9.html is not complete. Well it do prevent privilege escalation to root, but it is possible to escalate to any other user and that may be bad too. The problem has also been reported (by me) in Debian as you can see here: http://bugs.debian.org/841856 I have attached a tar file with exploit code. The exploit code is used like this: make sudo make root make test Test 1 is the exploit for CVE-2016-7543 Test 2 is the exploit for this problem Test 3 is just a reference test. The proposed patch essentially disable the whole PS4 variable support for all users (not only root as the patch was for CVE-2016-7543. Please let me know if you have a better idea on how to handle this. Version note: The attached correction is made on a 4.2 system with a patch for CVE-2016-7543. However it should apply on 4.4 as well. Let me know if you need any further details. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- This message was sent using IMP, the Internet Messaging Program.
Bug#841856: Correction of CVE-2016-7543 is incomplete
Version: all (see note below) Hardware: all Operating system: Debian GNU Linux (but all should be affected) Compiler: gcc Hi In CVE-2016-7543 a problem was reported that it is possible to privilege escalate to root. The correction as seen here http://lists.gnu.org/archive/html/bug-bash/2016-10/msg9.html is not complete. Well it do prevent privilege escalation to root, but it is possible to escalate to any other user and that may be bad too. The problem has also been reported (by me) in Debian as you can see here: http://bugs.debian.org/841856 I have attached a tar file with exploit code. The exploit code is used like this: make sudo make root make test Test 1 is the exploit for CVE-2016-7543 Test 2 is the exploit for this problem Test 3 is just a reference test. The proposed patch essentially disable the whole PS4 variable support for all users (not only root as the patch was for CVE-2016-7543. Please let me know if you have a better idea on how to handle this. Version note: The attached correction is made on a 4.2 system with a patch for CVE-2016-7543. However it should apply on 4.4 as well. Let me know if you need any further details. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- exploit.tar.gz Description: GNU Zip compressed data CVE-2016-7543-bug-841856-20161023.patch Description: Binary data