Re: SHELLOPTS=xtrace security hardening

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHELLOPTS=xtrace security hardening

From:	up201407890
Subject:	Re: SHELLOPTS=xtrace security hardening
Date:	Mon, 14 Dec 2015 18:01:13 +0100
User-agent:	Internet Messaging Program (IMP) H3 (4.2)

Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>:

SHELLOPTS+PS4 is a known way to have the shell run arbitrary
commands. Before shellshock, env /bin/date='() { cmd; }' was
another one. The fix for shellshock closed that one.


Yes, exporting a function was a better known attack against this.

I can see why one might want to close a path to easy privilege
escalation, but IMO, the fault here is not with bash but with
setuid applications invoking other applications, let alone a
shell without sanitizing the environment.


Obviously it's always the applications fault.

The thing is that a simple patch in bash can stop most of theseapplicaions from getting exploited.

It would be easier hardening bash than securing those applications one by one.

Also, if you haven't read my previous email, my new suggestion ofinitialiing $PS4 with it's default value "+ ", and not importing itfrom the environment would be a much better solution.

This way xtrace can still be used, and the prompt would be it's default "+ ".


$ diff -Naur bash-4.2.53 bash-4.2.53.patch/
diff -Naur bash-4.2.53/variables.c bash-4.2.53.patch/variables.c
--- bash-4.2.53/variables.c     2014-10-01 20:54:55.000000000 +0100
+++ bash-4.2.53.patch/variables.c       2015-12-13 21:51:38.926476398 +0000
@@ -465,7 +465,10 @@
 #endif
       set_if_not ("PS2", secondary_prompt);
     }
-  set_if_not ("PS4", "+ ");
+  /* Don't allow PS4 to be imported from the environment.
+     Specially crafted SHELLOPTS+PS4 could be used to exploit
+     bogus system(3)/popen(3) calls in setuid executables. */
+  bind_variable ("PS4", "+ ", 0);

   /* Don't allow IFS to be imported from the environment. */
   temp_var = bind_variable ("IFS", " \t\n", 0);



# rm /bin/bash
# cp ./bash /bin/bash
# exit
$ env -i SHELLOPTS=xtrace PS4='$(id)' ./a.out
+ /bin/date
Sun Dec 13 21:56:38 WET 2015


Thoughts?

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

[Prev in Thread]

Current Thread

[Next in Thread]

SHELLOPTS=xtrace security hardening, up201407890, 2015/12/10
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/10
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/11
  - Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/11
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/13
  - Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/13
  - Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/13
    - Re: SHELLOPTS=xtrace security hardening, up201407890 <=
    - Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/14
    - Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/14
    - Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/15
    - Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/15
    - Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15
    - Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/15
    - Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/16
    - Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15
    - Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/15
    - Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15

Prev by Date: Re: Ruler
Next by Date: Re: SHELLOPTS=xtrace security hardening
Previous by thread: Re: SHELLOPTS=xtrace security hardening
Next by thread: Re: SHELLOPTS=xtrace security hardening
Index(es):
- Date
- Thread