CVE-2019-18276 - Improper Check for Dropped Privileges

Severity

78%

Complexity

18%

Confidentiality

98%

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

CVSS 3.1 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Improper Check for Dropped Privileges

CWE-273

This code attempts to take on the privileges of a user before creating a file, thus avoiding performing the action with unnecessarily high privileges:


               
}
/../

The call to ImpersonateNamedPipeClient may fail, but the return value is not checked. If the call fails, the code may execute with higher privileges than intended. In this case, an attacker could exploit this behavior to write a file to a location that the attacker does not have access to.

Overview

Type

GNU Bourne-Again SHellbash (GNU Bash) 5.0

First reported 5 years ago

2019-11-28 01:15:00

Last updated 4 years ago

2020-04-30 19:15:00

Affected Software

GNU Bourne-Again SHellbash (GNU Bash) 5.0 Beta 1

5.0

GNU Bourne-Again SHellbash (GNU Bash) 5.0 Beta 2

5.0

GNU Bourne-Again SHellbash (GNU Bash) 5.0 Release Candidate 1

5.0

References

http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry

https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff

Patch, Third Party Advisory

https://security.netapp.com/advisory/ntap-20200430-0003/

https://www.youtube.com/watch?v=-wGtxJ8opa8

Exploit, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.