Bug 42874 – bash: Multiple issues (4.1)

Bug 42874 - bash: Multiple issues (4.1)


Summary:	bash: Multiple issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Arvid Requate
QA Contact:	Florian Best

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-11-08 11:55 CET by Arvid Requate
Modified:	2016-12-01 11:57 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
exploit.tar.gz (466 bytes, application/gzip) 2016-11-29 19:32 CET, Florian Best	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-11-08 11:55:45 CET

Upstream Debian package version 4.2+dfsg-0.1+deb7u4 fixes this issue:

* Specially crafted SHELLOPTS+PS4 environment variables in combination with insecure setuid binaries using system()/popen() can result in root privilege escalation (CVE-2016-7543)


UCS users use bash as default login shell, but it looks like there are no vulnerable SUID binaries in a standard installation:

find / -perm -4000 -type f -exec objdump -T {} \; 2>/dev/null \
   | egrep '\<popen|system\>'

Comment 1 Florian Best

2016-11-08 12:13:11 CET

/usr/lib/vmware/bin/vmware-vmx-stats
/usr/lib/vmware/bin/vmware-vmx-debug
/usr/lib/vmware/bin/vmware-vmx
/usr/bin/vmware-mount
/usr/sbin/vmware-authd
/sbin/mount.cifs

Comment 2 Florian Best

2016-11-08 12:33:44 CET

To show the infected binaries:
find / -perm -4000 -type f -exec sh -c 'objdump -T {} | egrep -q "\<popen|system\>"' \; -fprint /dev/stdout

Comment 3 Florian Best

2016-11-29 19:09:02 CET

OK:
 *** 4.2+dfsg-0.1.51.201611101755 0
        500 http://omar.knut.univention.de/build2/ ucs_4.1-0-errata4.1-4/amd64/ Packages
OK: zgrep CVE-2016-7543 /usr/share/doc/bash/changelog.Debian.gz
OK: YAML
OK: bash still works

I could not reproduce it with this exploit:
http://seclists.org/oss-sec/2016/q3/617

Comment 4 Florian Best

2016-11-29 19:32:29 CET

Created attachment 8255 [details]
exploit.tar.gz

OK: reproduce

# cd /tmp/
# wget http://apt.inguza.net/wheezy-security/bash/exploit.tar.gz
# tar xvzf exploit.tar.gz
# make
# make root
# ln -sf bash /bin/sh
# su Administrator bash
$ cd /tmp/; make test
Test 1
uid=0(root) gid=5000(Domain Admins) groups=0(root),1005(Windows Hosts),5000(Domain Admins),5001(Dom/bin/date
Tue Nov 29 19:17:07 CET 2016
Test 2
uid=33(www-data) gid=5000(Domain Admins) groups=33(www-data),1005(Windows Hosts),5000(Domain Admins/bin/date
Tue Nov 29 19:17:07 CET 2016
Test 3
uid=2002(Administrator) gid=5000(Domain Admins) groups=5000(Domain Admins),1005(Windows Hosts),5001/bin/date

~OK: fixed version:
ls -l exploit1 exploit2 exploit3
-rwsr-xr-x 1 root     root 6920 Nov 29 19:12 exploit1
-rwsr-xr-x 1 root     root 6920 Nov 29 19:12 exploit2
-rwxr-xr-x 1 www-data root 6804 Nov 29 19:12 exploit3
./test.sh
Test 1
+ /bin/date
Tue Nov 29 19:27:31 CET 2016
Test 2
uid=33(www-data) gid=5000(Domain Admins) groups=33(www-data),1005(Windows Hosts),5000(Domain Admins/bin/date
Tue Nov 29 19:27:31 CET 2016
Test 3
uid=2002(Administrator) gid=5000(Domain Admins) groups=5000(Domain Admins),1005(Windows Hosts),5001/bin/date
Tue Nov 29 19:27:31 CET 2016

I still think that it is wrong that the code is executed in Test 2 and Test 3. In "Test 2" the code is executed as www-data. But well, the most critical thing is fixed.

Comment 5 Janek Walkenhorst

2016-12-01 11:57:27 CET

<http://errata.software-univention.de/ucs/4.1/343.html>