undefined | Better HN

0 pointssophacles11y ago0 comments

I think it comes down to a jargon vs technical language thing. In formal settings arbitrary code execution is a different thing from privilege escalation. In casual jargony talk though, security guys tend to equate code execution with privilege escalation with box ownage.

Basically it goes "why would anyone not follow the execution -> escalation -> own path?" It's such an automatic assumption, combined with the basic premise of "there's no such thing as a secure computer", that the exact details are a hand-wave. This comes from the repeated demonstration that it's almost always true.

0 comments

dllthomas11y ago

None of this seems crazy unlikely, but I'd still like to hear a confirmation that that's what was meant. Especially since korzun was talking specifically about Debian and Ubuntu where bash is only used as a login shell and so presumably those with access could already just run the app.

sophaclesOP11y ago

There are unfortunately lots of bad scripts in the world that start with:

   #!/bin/bash

So for example, with a foo.sh script of:

   #!/bin/bash
   echo "loser!"

Then for example:

   vagrant@ubuntu-14:~/bin$ X='() { :; }; echo foo' python
   Python 2.7.6 (default, Mar 22 2014, 22:59:56) 
   [GCC 4.8.2] on linux2
   Type "help", "copyright", "credits" or "license" for more information.
   >>> import os
   >>> os.system("./foo.sh")
   foo
   loser!
   0
   >>> import subprocess
   >>> subprocess.Popen("./foo.sh")
   <subprocess.Popen object at 0x7f04a115f350>
   >>> foo
   loser!

It should be noted that if the shebang is #!/bin/sh this doesn't work when sh == dash, but given that this wiki page exists on ubuntu:

https://wiki.ubuntu.com/DashAsBinSh

That recommends changing broken scripts to #!/bin/bash or changing to sh == bash as solutions. I would guess that there are going to be plenty of easily vulnerable debian/ubuntu systems.

More importantly though, it literally does not matter if this bug is "directly privilege escalating" or "1 step removed privilege escalating", the are fundamentally the same thing. It doesn't matter in any case where a script is executed with bash instead of dash.

dllthomas11y ago

'More importantly though, it literally does not matter if this bug is "directly privilege escalating" or "1 step removed privilege escalating", the are fundamentally the same thing. It doesn't matter in any case where a script is executed with bash instead of dash.'

It doesn't matter for security. It matters a lot for my understanding of what's going on.

j / k navigate · click thread line to collapse

0 comments

dllthomas11y ago

sophaclesOP11y ago

There are unfortunately lots of bad scripts in the world that start with:

   #!/bin/bash

So for example, with a foo.sh script of:

   #!/bin/bash
   echo "loser!"

Then for example:

   vagrant@ubuntu-14:~/bin$ X='() { :; }; echo foo' python
   Python 2.7.6 (default, Mar 22 2014, 22:59:56) 
   [GCC 4.8.2] on linux2
   Type "help", "copyright", "credits" or "license" for more information.
   >>> import os
   >>> os.system("./foo.sh")
   foo
   loser!
   0
   >>> import subprocess
   >>> subprocess.Popen("./foo.sh")
   <subprocess.Popen object at 0x7f04a115f350>
   >>> foo
   loser!

It should be noted that if the shebang is #!/bin/sh this doesn't work when sh == dash, but given that this wiki page exists on ubuntu:

https://wiki.ubuntu.com/DashAsBinSh

That recommends changing broken scripts to #!/bin/bash or changing to sh == bash as solutions. I would guess that there are going to be plenty of easily vulnerable debian/ubuntu systems.

dllthomas11y ago

It doesn't matter for security. It matters a lot for my understanding of what's going on.

j / k navigate · click thread line to collapse