Hi Balint Ah, it could be the default shell. I'll try that. Thanks for the suggestion.
Merely that the command id is executed is not a reproduction. It has to be executed as another user than the one one executing the binary to be a security problem. If not it could be a bug but not a security bug (privilege escalation). Best regards, // Ola On 7 October 2016 at 00:12, Bálint Réczey <[email protected]> wrote: > Hi Ola, > > 2016-10-06 23:08 GMT+02:00 Ola Lundqvist <[email protected]>: > > Hi Matthias and Balint > > > > I have tried to reproduce the problem described in the openwall email. > > However I can not reproduce it. Have you been able to? > > > > On wheezy: > > ------------ > > ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test > > Thu Oct 6 20:54:07 UTC 2016 > > ola@tigereye:/$ ls -la test > > -rwsr-xr-x 1 root root 6824 Oct 6 20:52 test > > ola@tigereye:/$ dpkg -l bash > > ...CUT... > > ii bash 4.2+dfsg-0.1 amd64 GNU Bourne Again SHell > > > > On jessie: > > ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test > > Thu Oct 6 22:48:35 CEST 2016 > > When I set the default shell to bash it worked for me. > Please try with sudo dpkg-reconfigure dash. > > > ola@tigereye:~/exploit$ dpkg -l bash > > ...CUT... > > ii bash 4.3-11+b1 amd64 GNU Bourne Again SHell > > > > I think it may be because SHELLOPTS is a read-only variable. > > > > ola@tigereye:~/exploit$ SHELLOPTS=xtrace > > bash: SHELLOPTS: readonly variable > > > > Do you think I have made a mistake in the reproduction or is it so that > the > > patch was actually not on a real problem (at least in Debian). > > > > Not even if I change the code like this: > > ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { setuid(0); > > system("/bin/bash -c /bin/date"); }' > > ola@tigereye:~/exploit$ ./test2 > > Thu Oct 6 23:04:11 CEST 2016 > > ola@tigereye:~/exploit$ set -x > > ola@tigereye:~/exploit$ ./test2 > > uid=1000(ola) gid=1000(ola) > > groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30( > dip),44(video),46(plugdev),108(netdev)./test2 > > Thu Oct 6 23:04:18 CEST 2016 > > This runs the command passed in PS4 thus I consider this a reproduction. > > Cheers, > Balnit > > > > > My conclusion is that there is no security hole. But I may be mistaken. > > > > Can anyone else reproduce the issue? > > > > Best regards, > > > > // Ola > > > > On 6 October 2016 at 12:29, Ola Lundqvist <[email protected]> wrote: > >> > >> Hi Matthias > >> > >> I will look into this. > >> > >> // Ola > >> > >> On 6 October 2016 at 01:06, Matthias Klose <[email protected]> wrote: > >>> > >>> On 05.10.2016 16:02, Balint Reczey wrote: > >>> > Hello dear maintainer(s), > >>> > > >>> > the Debian LTS team would like to fix the security issues which are > >>> > currently open in the Wheezy version of bash: > >>> > https://security-tracker.debian.org/tracker/CVE-2016-7543 > >>> > > >>> > Would you like to take care of this yourself? > >>> > >>> please go ahead. > >>> > >>> Matthias > >>> > >> > >> > >> > >> -- > >> --- Inguza Technology AB --- MSc in Information Technology ---- > >> / [email protected] Folkebogatan 26 \ > >> | [email protected] 654 68 KARLSTAD | > >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > >> --------------------------------------------------------------- > >> > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > / [email protected] Folkebogatan 26 \ > > | [email protected] 654 68 KARLSTAD | > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --------------------------------------------------------------- > > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
