[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Correction of CVE-2016-7543 is incomplete

From: Ola Lundqvist
Subject: Correction of CVE-2016-7543 is incomplete
Date: Mon, 24 Oct 2016 10:09:10 +0200

Version: all (see note below)
Hardware: all
Operating system: Debian GNU Linux (but all should be affected)
Compiler: gcc


In CVE-2016-7543 a problem was reported that it is possible to privilege escalate to root.
The correction as seen here http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
is not complete. Well it do prevent privilege escalation to root, but it is possible to escalate to any other user and that may be bad too.

The problem has also been reported (by me) in Debian as you can see here: http://bugs.debian.org/841856

I have attached a tar file with exploit code. The exploit code is used like this:
sudo make root
make test

Test 1 is the exploit for CVE-2016-7543
Test 2 is the exploit for this problem
Test 3 is just a reference test.

The proposed patch essentially disable the whole PS4 variable support for all users (not only root as the patch was for CVE-2016-7543. Please let me know if you have a better idea on how to handle this.

Version note: The attached correction is made on a 4.2 system with a patch for CVE-2016-7543.
However it should apply on 4.4 as well.

Let me know if you need any further details.

Best regards

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
/  address@hidden                    Folkebogatan 26            \
|  address@hidden                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Attachment: exploit.tar.gz
Description: GNU Zip compressed data

Attachment: CVE-2016-7543-bug-841856-20161023.patch
Description: Binary data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]