From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10491 invoked by alias); 27 Sep 2016 09:03:55 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 39459 Received: (qmail 25827 invoked from network); 27 Sep 2016 09:03:55 -0000 X-Qmail-Scanner-Diagnostics: from nm10-vm4.bullet.mail.ir2.yahoo.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(212.82.96.156):SA:0(0.0/5.0):. Processed in 0.551495 secs); 27 Sep 2016 09:03:55 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,SPF_PASS, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.1 X-Envelope-From: okiddle@yahoo.co.uk X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.mail.yahoo.com designates 212.82.96.156 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1474966607; bh=etV/5BWMxz/wcEZ64y+F6RpxbQyztPx6GcOpE7yGkMc=; h=cc:In-reply-to:From:References:To:Subject:Date:From:Subject; b=IfNclNwizo1pyNo6vvWjuGtQ9DiLNIrSj3T70xYA9BRs4U0i+E2B5BpwXTKM8HM+w5uQRuc2BLPaQGQrsaZNPhSTF5/MpLi/HpQDPrUVTGBCBxkqcmLyQ9chpZzFYXFyHuqv7ow7RSmr4WsuX481u2VZMdqV/1wVqLzTuPvBgdRNcwAMq4S0l4dHEj/4TYSvb0CEgiVGx6gTF4D+5fxUJhCFcKE9uHErzSy9Zu5As6jCCFBE2Jhoabcz2ma3dUWkSH5OWsslyAWp1JvB6YCYrRWJNl0oUXSjBE7uOjRLjdjT2rTma6DoSrHeIR44yZAiGzqSAQ3HvWkdgqbqAY1EVg== X-Yahoo-Newman-Id: 940100.48799.bm@smtp109.mail.ir2.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: DGp40uIVM1nkAtubAMZmBFsmSanfSvfXBO__LgJAG6NlE44 f1y75XOEt_tuJYesd40tCci_bzcO3mvXUrpRt_etvILJR4swfDSjWtOC0lU5 VnpCcszsD7sCtGaFKJ.nDboiuk16UlCprvbIrlw0kleAQ_gHPk_VkoFq8sOW 0Z_mgMpqgFh.AYpLiyZJZdgc3KlD_orR8HSlh6ZutIfPdB5tgF_L2O8Avx3l jaAPK6g5aeDYPSPyOgXEDMCv.lU5_YkOGDFUk2TT3MDDLgohENfL.juciOVr xKSPC5vBeQP7EXjvyzrhG6rGKiiG2l4Px8PeadFsGqC1vlLaSH0gpdq992cl ZDD9hJChvn4v4oCSR4VbJSYphE.1zIoMEW5TY4tgBOyJSd_1n8wCUOSlcnu5 el0Vq5vxc7Fe4S4W9KwbzP25FoXmg9M8flpaZkdNkxBcLJm78kwR3X0SRYgn 7s36rMEVWSu6cIXYeQfzpUxBgmCbW9uFtDF5BdNgRezx4GG6Yd6ie.5n2.D5 3528tHyicZPiNlppzzVEFt4Sm5UXULiWpKMMP1IxqvLk- X-Yahoo-SMTP: opAkk_CswBAce_kJ3nIPlH80cJI- cc: zsh-workers@zsh.org In-reply-to: From: Oliver Kiddle References: To: Mateusz Lenik Subject: Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <37736.1474966607.1@hydra.kiddle.eu> Date: Tue, 27 Sep 2016 10:56:47 +0200 Message-ID: <37737.1474966607@hydra.kiddle.eu> Mateusz Lenik wrote: > I just learned that bash fixed a vulnerability that also affects zsh. It > allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables > against setuid binaries using system/popen. Given that zsh doesn't support the SHELLOPTS variable at all, it doesn't make sense for zsh to be apparently vulnerable. > Steps to reproduce: > % gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' This attack is directed against the shell that system() runs, i.e. /bin/sh and not the shell from which the setuid binary is invoked. Did you have /bin/sh linked to zsh. If it was linked to bash then these steps are merely reproducing the bash bug in bash. Zsh also needs the prompt_subst option to enable command substitution in PS4. Perhaps there's an argument for not importing PS4 from the environment in certain cases anyway but I can't see any security issue. Oliver