-
Bash executes commands one by one even from a script as if it comes from the terminal input (unless you group them in curly brackets) a script can be edited while running, and it executes the edited content.
-
If a script is sudo executed by an admin and is writable by the admin(or group or anyone), it is also writable by any other running process that belongs to whoever has write access without requiring root permissions.
-
This means that a malicious process can patiently wait until the sys admin runs one of his/her own scripts that is writable by the sys admin, without root permissions, and edit it while running to gain root acces. (This means a sys admin can't be confidend that the script he/she vetted or wrote, will do whatever it supposed to unless he/she makes it completely write protected before execution.)
-
Temporarily revoking write access is a solution to protect against that, however killing the process will prevent it from reinstating write access. (Which can be annoying, but a sys admin who has the right to run it as with sudo, should also be able to make it writable again. Either way I'd rather get annoyed then rooted because of negligance.)
- I reported this to bug-bash@gnu.org I got several answers downplaying the severity, emphasizing the inadequacy or possible side effects of raized solutionss, shifting responsability, etc. until the conversation about it died out. It does not look like it's gonna be fixed any time soon, so I decided to put this up on github in an attempt to raise awareness and offer an individual workaroun for those who don't wanna fall for this.
- Use the included template with several security measures.
- Read and run ProofOfVulnerability.sh
- Read and run Test.sh as you and as root.
- I tested it on 2 PCs, one of which is up to date Ubuntu 22.04.4 LTS, the other is way outdated Ubuntu 20.10 (no longer supported) which is my oldest system still in use.
- That being said I actually found it back in around 2016, when I was a noob learning bash and didn't think I should bother the devs. Then I forgot about it. Now watching a video of clever use of shell in the XZ backdoor, I remembered and tested it again, and found it still unpacthed. I repoted it a few days ago, and... no one really cares... So probably affects a lot of systems. (I found it by writing a script to edit another script, messed up and made it accidentally edit itself instead, which got immediately executed...)