Debian Bug report logs -
#841856
bash: Related to CVE-2016-7543: Privilege escalation possible to other user than root
Reported by: Ola Lundqvist <ola@inguza.com>
Date: Sun, 23 Oct 2016 21:12:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions bash/4.2+dfsg-0.1, bash/4.2+dfsg-0.1+deb7u3
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Sun, 23 Oct 2016 21:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>
.
(Sun, 23 Oct 2016 21:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bash
Version: 4.2+dfsg-0.1+deb7u3
Tags: security, patch
Severity: important
Hi
While fixing CVE-2016-7543 for wheezy I found that the upstream correction
was incomplete. It do in fact solve the problem described in the CVE but a
very closely related problem is not solved.
The problem described in the CVE is that it is possible to privilege
escalate to root.
However the patch only fix that specific problem, not escalation change to
any other user.
The attached patch solve that problem too.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
[Message part 2 (text/html, inline)]
[bash43-048-backported-CVE-2016-7543-20161023.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 05:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 05:03:05 GMT) (full text, mbox, link).
Message #10 received at 841856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: found -1 4.2+dfsg-0.1
Control: tags -1 + upstream
Hi
Adding the testcases from Ola, which were referenced at
https://lists.debian.org/debian-lts/2016/10/msg00141.html
Ola, have you reported this to upstream?
Regards,
Salvatore
[exploit.tar.gz (application/gzip, attachment)]
Marked as found in versions bash/4.2+dfsg-0.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 841856-submit@bugs.debian.org
.
(Mon, 24 Oct 2016 05:03:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 841856-submit@bugs.debian.org
.
(Mon, 24 Oct 2016 05:03:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 06:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 06:51:07 GMT) (full text, mbox, link).
Message #19 received at 841856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
No. If you want I can do that.
Please note that the patch I attached essentally disable the whole PS4
variable support so upstream can probably do something more intelligent.
/ Ola
Sent from a phone
Den 24 okt 2016 07:00 skrev "Salvatore Bonaccorso" <carnil@debian.org>:
Control: found -1 4.2+dfsg-0.1
Control: tags -1 + upstream
Hi
Adding the testcases from Ola, which were referenced at
https://lists.debian.org/debian-lts/2016/10/msg00141.html
Ola, have you reported this to upstream?
Regards,
Salvatore
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 07:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 07:12:03 GMT) (full text, mbox, link).
Message #24 received at 841856@bugs.debian.org (full text, mbox, reply):
Hi Ola,
Thanks for quick followup!
On Mon, Oct 24, 2016 at 08:50:46AM +0200, Ola Lundqvist wrote:
> Hi
>
> No. If you want I can do that.
I think that would be good, to get Chet's attention on the issue. Once
it's clear, we might need to as well request a CVE for it on
oss-security.
> Please note that the patch I attached essentally disable the whole PS4
> variable support so upstream can probably do something more intelligent.
Yep, and thus I really think we should have Chet Ramey with his
upstream hat look into it.
Thanks for your work and regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 08:12:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 08:12:10 GMT) (full text, mbox, link).
Message #29 received at 841856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: all (see note below)
Hardware: all
Operating system: Debian GNU Linux (but all should be affected)
Compiler: gcc
Hi
In CVE-2016-7543 a problem was reported that it is possible to privilege
escalate to root.
The correction as seen here
http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
is not complete. Well it do prevent privilege escalation to root, but it is
possible to escalate to any other user and that may be bad too.
The problem has also been reported (by me) in Debian as you can see here:
http://bugs.debian.org/841856
I have attached a tar file with exploit code. The exploit code is used like
this:
make
sudo make root
make test
Test 1 is the exploit for CVE-2016-7543
Test 2 is the exploit for this problem
Test 3 is just a reference test.
The proposed patch essentially disable the whole PS4 variable support for
all users (not only root as the patch was for CVE-2016-7543. Please let me
know if you have a better idea on how to handle this.
Version note: The attached correction is made on a 4.2 system with a patch
for CVE-2016-7543.
However it should apply on 4.4 as well.
Let me know if you need any further details.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
[Message part 2 (text/html, inline)]
[exploit.tar.gz (application/x-gzip, attachment)]
[CVE-2016-7543-bug-841856-20161023.patch (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 08:12:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 08:12:12 GMT) (full text, mbox, link).
Message #34 received at 841856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Thanks for fast response. I have now reported it upstream as you can see in
the mail I just sent.
Best regards
// Ola
On 24 October 2016 at 09:08, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Ola,
>
> Thanks for quick followup!
>
> On Mon, Oct 24, 2016 at 08:50:46AM +0200, Ola Lundqvist wrote:
> > Hi
> >
> > No. If you want I can do that.
>
> I think that would be good, to get Chet's attention on the issue. Once
> it's clear, we might need to as well request a CVE for it on
> oss-security.
>
>
> > Please note that the patch I attached essentally disable the whole PS4
> > variable support so upstream can probably do something more intelligent.
>
> Yep, and thus I really think we should have Chet Ramey with his
> upstream hat look into it.
>
> Thanks for your work and regards,
> Salvatore
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 17:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to up201407890@alunos.dcc.fc.up.pt
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 17:03:07 GMT) (full text, mbox, link).
Message #39 received at 841856@bugs.debian.org (full text, mbox, reply):
Quoting "Ola Lundqvist" <ola@inguza.com>:
This is known.
I "complained" at the time, as it can be seen here:
https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html
> Version: all (see note below)
> Hardware: all
> Operating system: Debian GNU Linux (but all should be affected)
> Compiler: gcc
>
> Hi
>
> In CVE-2016-7543 a problem was reported that it is possible to privilege
> escalate to root.
> The correction as seen here
> http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
> is not complete. Well it do prevent privilege escalation to root, but it is
> possible to escalate to any other user and that may be bad too.
>
> The problem has also been reported (by me) in Debian as you can see here:
> http://bugs.debian.org/841856
>
> I have attached a tar file with exploit code. The exploit code is used like
> this:
> make
> sudo make root
> make test
>
> Test 1 is the exploit for CVE-2016-7543
> Test 2 is the exploit for this problem
> Test 3 is just a reference test.
>
> The proposed patch essentially disable the whole PS4 variable support for
> all users (not only root as the patch was for CVE-2016-7543. Please let me
> know if you have a better idea on how to handle this.
>
> Version note: The attached correction is made on a 4.2 system with a patch
> for CVE-2016-7543.
> However it should apply on 4.4 as well.
>
> Let me know if you need any further details.
>
> Best regards
>
> // Ola
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola@inguza.com Folkebogatan 26 \
> | opal@debian.org 654 68 KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#841856
; Package bash
.
(Mon, 24 Oct 2016 20:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(Mon, 24 Oct 2016 20:03:07 GMT) (full text, mbox, link).
Message #44 received at 841856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Thank you for the information. Good to know that I'm not the only one that
have seen this problem.
One can of course argue that the attack vector is a little odd. That is a
setuid binary making system. I thought system was safe enough, but now I
have learnt otherwise.
Anyway I do not think disabling PS4 variable would hurt much. Or do anyone
see that it is useful to set to something else than +?
Maybe we can allow PS4 to be expanded to some extent, but not allow it to
be expanded to execute commands?
// Ola
On 24 October 2016 at 18:37, <up201407890@alunos.dcc.fc.up.pt> wrote:
> Quoting "Ola Lundqvist" <ola@inguza.com>:
>
> This is known.
>
> I "complained" at the time, as it can be seen here:
> https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html
>
>
>
> Version: all (see note below)
>> Hardware: all
>> Operating system: Debian GNU Linux (but all should be affected)
>> Compiler: gcc
>>
>> Hi
>>
>> In CVE-2016-7543 a problem was reported that it is possible to privilege
>> escalate to root.
>> The correction as seen here
>> http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
>> is not complete. Well it do prevent privilege escalation to root, but it
>> is
>> possible to escalate to any other user and that may be bad too.
>>
>> The problem has also been reported (by me) in Debian as you can see here:
>> http://bugs.debian.org/841856
>>
>> I have attached a tar file with exploit code. The exploit code is used
>> like
>> this:
>> make
>> sudo make root
>> make test
>>
>> Test 1 is the exploit for CVE-2016-7543
>> Test 2 is the exploit for this problem
>> Test 3 is just a reference test.
>>
>> The proposed patch essentially disable the whole PS4 variable support for
>> all users (not only root as the patch was for CVE-2016-7543. Please let me
>> know if you have a better idea on how to handle this.
>>
>> Version note: The attached correction is made on a 4.2 system with a patch
>> for CVE-2016-7543.
>> However it should apply on 4.4 as well.
>>
>> Let me know if you need any further details.
>>
>> Best regards
>>
>> // Ola
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> / ola@inguza.com Folkebogatan 26 \
>> | opal@debian.org 654 68 KARLSTAD |
>> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> ---------------------------------------------------------------
>>
>>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
[Message part 2 (text/html, inline)]
Changed Bug title to 'bash: Related to CVE-2016-7543: Privilege escalation possible to other user than root' from 'Upstream correction of CVE-2016-7543 is incomplete'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 25 Oct 2016 04:42:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:32:02 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.