Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #12011

Re: SHELLOPTS=xtrace security hardening

From up201407890@alunos.dcc.fc.up.pt
Newsgroups gnu.bash.bug
Subject Re: SHELLOPTS=xtrace security hardening
Date 2015-12-14 18:01 +0100
Message-ID <mailman.2088.1450112494.31583.bug-bash@gnu.org> (permalink)
References <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com>

Show all headers | View raw

Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>:


> SHELLOPTS+PS4 is a known way to have the shell run arbitrary
> commands. Before shellshock, env /bin/date='() { cmd; }' was
> another one. The fix for shellshock closed that one.

Yes, exporting a function was a better known attack against this.

> I can see why one might want to close a path to easy privilege
> escalation, but IMO, the fault here is not with bash but with
> setuid applications invoking other applications, let alone a
> shell without sanitizing the environment.

Obviously it's always the applications fault.
The thing is that a simple patch in bash can stop most of these  
applicaions from getting exploited.
It would be easier hardening bash than securing those applications one by one.

Also, if you haven't read my previous email, my new suggestion of  
initialiing $PS4 with it's default value "+ ", and not importing it  
from the environment would be a much better solution.
This way xtrace can still be used, and the prompt would be it's default "+ ".


$ diff -Naur bash-4.2.53 bash-4.2.53.patch/
diff -Naur bash-4.2.53/variables.c bash-4.2.53.patch/variables.c
--- bash-4.2.53/variables.c     2014-10-01 20:54:55.000000000 +0100
+++ bash-4.2.53.patch/variables.c       2015-12-13 21:51:38.926476398 +0000
@@ -465,7 +465,10 @@
  #endif
        set_if_not ("PS2", secondary_prompt);
      }
-  set_if_not ("PS4", "+ ");
+  /* Don't allow PS4 to be imported from the environment.
+     Specially crafted SHELLOPTS+PS4 could be used to exploit
+     bogus system(3)/popen(3) calls in setuid executables. */
+  bind_variable ("PS4", "+ ", 0);

    /* Don't allow IFS to be imported from the environment. */
    temp_var = bind_variable ("IFS", " \t\n", 0);



# rm /bin/bash
# cp ./bash /bin/bash
# exit
$ env -i SHELLOPTS=xtrace PS4='$(id)' ./a.out
+ /bin/date
Sun Dec 13 21:56:38 WET 2015


Thoughts?

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Back to gnu.bash.bug | Previous | Next | Find similar

Thread

Re: SHELLOPTS=xtrace security hardening up201407890@alunos.dcc.fc.up.pt - 2015-12-14 18:01 +0100

csiph-web