On 12/10/15 2:16 PM, up201407...@alunos.dcc.fc.up.pt wrote:
> Hello,
>
> This is a suggestion for a bash security hardening patch which prevents
> xtrace from being initialized to the SHELLOPTS environment variable when a
> new shell starts.
This is far too drastic a solution to the problem you have posed.
> xtrace can be used to exploit bogus system()/popen() calls on setuid
> binaries via a specially crafted PS4 environment variable leading to
> privilege escalation, like so:
I don't really see privilege escalation here. Your setuid root program
sets the real and effective UIDs to 0 and calls system(). There is no
way to distinguish this as the result of running a setuid program, and
any privilege escalation takes place before system() runs.
I have to tell you, if I wanted to exploit a program written this poorly,
I wouldn't mess around with SHELLOPTS. I'd go straight to PATH.
This isn't a good reason to take xtrace out of $SHELLOPTS unconditionally.
It's not even a good enough reason to ignore SHELLOPTS if the shell is
running as uid 0.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
