Bash 4.3 setuid() BUG

Authors: Hector Marco & Ismael Ripoll BUG: Lack of checking setuid() return code Dates: 10 December 2013 - Discovered the bug 25 March 2014 - Public disclosure

Description

Impact

Vulnerable packages

The bug

setuid()

setuid()

shell.c

void disable_priv_mode () { setuid (current_user.uid); setgid (current_user.gid); current_user.euid = current_user.uid; current_user.egid = current_user.gid; }

Exploit

FIX

diff --git shell.c shell.c index bbc8a66..5bfd466 100644 --- shell.c +++ shell.c @@ -1226,8 +1226,12 @@ uidget () void disable_priv_mode () { - setuid (current_user.uid); - setgid (current_user.gid); + + if( (setgid (current_user.gid) !=0) || (setuid (current_user.uid) != 0) ){ + report_error("Drop privileges failed!!

"); + exit(-1); + } + current_user.euid = current_user.uid; current_user.egid = current_user.gid; }

$ wget http://hmarco.org/bugs/patches/bash_4.3-fix-setuid.patch $ cd bash.4.3 $ patch -p0 < ../bash_4.3-fix-setuid.patch

Discussion