Hi all I have now prepared a correction of this problem for wheezy. One of the reasons why it took me a little more time than usual was the fact that the upstream correction turned out to be incomplete. I have reported about that problem in bug #841856 today. I have added that to the security tracker too. The correction for 841856 may be a little too simple for upstream but for wheezy it should be good enough.
Anyway I have been able correct that and intend to upload that correction in four days if no-one complains. You can find the debdiff here: http://apt.inguza.net/wheezy-security/bash/bash.debdiff And the packages that I intend to upload here: http://apt.inguza.net/wheezy-security/bash/ The source code I used to test the exploit is available here: http://apt.inguza.net/wheezy-security/bash/exploit.tar.gz The exploit usage is: make sudo make root make test If you see a user identity other than your own in the output you have successfully gained more permission than you should. Best regards // Ola On 7 October 2016 at 23:18, Ola Lundqvist <o...@inguza.com> wrote: > Hi Balint > > It was the default shell that made the difference. Thanks again for this > suggestion. I can reproduce the problem now. Very good. > > An interesting note is that it is only possible to escalate the privilege > to root. If I change the owner of the file to www-data (and the setuid to > 33) the id command is not executed as www-data. > > This means that the bash fix to only make a special case for root is good. > I thought maybe the fix was incomplete. > > I'll look into the fixing part now. I have found the patch and it looks > trivial. As I can reproduce it easily now (with changed default shell to > bash) it should be trivial to verify whether the correction was good or not. > > Best regards > > // Ola > > On 7 October 2016 at 09:26, Bálint Réczey <bal...@balintreczey.hu> wrote: > >> Hi, >> >> 2016-10-07 8:10 GMT+02:00 Ola Lundqvist <o...@inguza.com>: >> > Hi Balint >> > >> > Ah, it could be the default shell. I'll try that. Thanks for the >> suggestion. >> > >> > Merely that the command id is executed is not a reproduction. It has to >> be >> > executed as another user than the one one executing the binary to be a >> > security problem. If not it could be a bug but not a security bug >> (privilege >> > escalation). >> >> True, but it works on setuid binaries, too: >> >> root@debian-wheezy:/home/vagrant# ls -alh /bin/sh >> lrwxrwxrwx 1 root root 4 Oct 7 07:16 /bin/sh -> bash >> root@debian-wheezy:/home/vagrant# gcc -xc - -otest <<< 'int main() { >> setuid(0); system("/bin/date"); }' >> root@debian-wheezy:/home/vagrant# chmod 4755 ./test >> root@debian-wheezy:/home/vagrant# ls -l ./test >> -rwsr-xr-x 1 root root 6877 Oct 7 07:19 ./test >> root@debian-wheezy:/home/vagrant# exit >> exit >> vagrant@debian-wheezy:~$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test >> uid=0(root) gid=1000(vagrant) >> groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(di >> p),44(vid/bin/date >> Fri Oct 7 07:19:34 GMT 2016 >> vagrant@debian-wheezy:~$ >> >> Cheers, >> Balint >> >> >> > >> > Best regards, >> > >> > // Ola >> > >> > On 7 October 2016 at 00:12, Bálint Réczey <bal...@balintreczey.hu> >> wrote: >> >> >> >> Hi Ola, >> >> >> >> 2016-10-06 23:08 GMT+02:00 Ola Lundqvist <o...@inguza.com>: >> >> > Hi Matthias and Balint >> >> > >> >> > I have tried to reproduce the problem described in the openwall >> email. >> >> > However I can not reproduce it. Have you been able to? >> >> > >> >> > On wheezy: >> >> > ------------ >> >> > ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test >> >> > Thu Oct 6 20:54:07 UTC 2016 >> >> > ola@tigereye:/$ ls -la test >> >> > -rwsr-xr-x 1 root root 6824 Oct 6 20:52 test >> >> > ola@tigereye:/$ dpkg -l bash >> >> > ...CUT... >> >> > ii bash 4.2+dfsg-0.1 amd64 GNU Bourne Again SHell >> >> > >> >> > On jessie: >> >> > ola@tigereye:~/exploit$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test >> >> > Thu Oct 6 22:48:35 CEST 2016 >> >> >> >> When I set the default shell to bash it worked for me. >> >> Please try with sudo dpkg-reconfigure dash. >> >> >> >> > ola@tigereye:~/exploit$ dpkg -l bash >> >> > ...CUT... >> >> > ii bash 4.3-11+b1 amd64 GNU Bourne Again SHell >> >> > >> >> > I think it may be because SHELLOPTS is a read-only variable. >> >> > >> >> > ola@tigereye:~/exploit$ SHELLOPTS=xtrace >> >> > bash: SHELLOPTS: readonly variable >> >> > >> >> > Do you think I have made a mistake in the reproduction or is it so >> that >> >> > the >> >> > patch was actually not on a real problem (at least in Debian). >> >> > >> >> > Not even if I change the code like this: >> >> > ola@tigereye:~/exploit$ gcc -xc - -otest2 <<< 'int main() { >> setuid(0); >> >> > system("/bin/bash -c /bin/date"); }' >> >> > ola@tigereye:~/exploit$ ./test2 >> >> > Thu Oct 6 23:04:11 CEST 2016 >> >> > ola@tigereye:~/exploit$ set -x >> >> > ola@tigereye:~/exploit$ ./test2 >> >> > uid=1000(ola) gid=1000(ola) >> >> > >> >> > groups=1000(ola),24(cdrom),25(floppy),27(sudo),29(audio),30( >> dip),44(video),46(plugdev),108(netdev)./test2 >> >> > Thu Oct 6 23:04:18 CEST 2016 >> >> >> >> This runs the command passed in PS4 thus I consider this a >> reproduction. >> >> >> >> Cheers, >> >> Balnit >> >> >> >> > >> >> > My conclusion is that there is no security hole. But I may be >> mistaken. >> >> > >> >> > Can anyone else reproduce the issue? >> >> > >> >> > Best regards, >> >> > >> >> > // Ola >> >> > >> >> > On 6 October 2016 at 12:29, Ola Lundqvist <o...@inguza.com> wrote: >> >> >> >> >> >> Hi Matthias >> >> >> >> >> >> I will look into this. >> >> >> >> >> >> // Ola >> >> >> >> >> >> On 6 October 2016 at 01:06, Matthias Klose <d...@debian.org> wrote: >> >> >>> >> >> >>> On 05.10.2016 16:02, Balint Reczey wrote: >> >> >>> > Hello dear maintainer(s), >> >> >>> > >> >> >>> > the Debian LTS team would like to fix the security issues which >> are >> >> >>> > currently open in the Wheezy version of bash: >> >> >>> > https://security-tracker.debian.org/tracker/CVE-2016-7543 >> >> >>> > >> >> >>> > Would you like to take care of this yourself? >> >> >>> >> >> >>> please go ahead. >> >> >>> >> >> >>> Matthias >> >> >>> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> --- Inguza Technology AB --- MSc in Information Technology ---- >> >> >> / o...@inguza.com Folkebogatan 26 \ >> >> >> | o...@debian.org 654 68 KARLSTAD | >> >> >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 | >> >> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> >> >> --------------------------------------------------------------- >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > --- Inguza Technology AB --- MSc in Information Technology ---- >> >> > / o...@inguza.com Folkebogatan 26 \ >> >> > | o...@debian.org 654 68 KARLSTAD | >> >> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | >> >> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> >> > --------------------------------------------------------------- >> >> > >> > >> > >> > >> > >> > -- >> > --- Inguza Technology AB --- MSc in Information Technology ---- >> > / o...@inguza.com Folkebogatan 26 \ >> > | o...@debian.org 654 68 KARLSTAD | >> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | >> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> > --------------------------------------------------------------- >> > >> > > > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > / o...@inguza.com Folkebogatan 26 \ > | o...@debian.org 654 68 KARLSTAD | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
