Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system



Mateusz Lenik wrote:
> I just learned that bash fixed a vulnerability that also affects zsh. It
> allowed to run arbitrary programs by crafting SHELLOPTS and PS4 variables
> against setuid binaries using system/popen.

Given that zsh doesn't support the SHELLOPTS variable at all, it doesn't
make sense for zsh to be apparently vulnerable.

> Steps to reproduce:
> % gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'

This attack is directed against the shell that system() runs, i.e.
/bin/sh and not the shell from which the setuid binary is invoked. Did
you have /bin/sh linked to zsh. If it was linked to bash then these
steps are merely reproducing the bash bug in bash.

Zsh also needs the prompt_subst option to enable command substitution in
PS4. Perhaps there's an argument for not importing PS4 from the
environment in certain cases anyway but I can't see any security issue.

Oliver



Messages sorted by: Reverse Date, Date, Thread, Author