Privilege Escalation in GNU Bash Affecting Linux Systems
CVE-2019-18276

7.8HIGH

Key Information:

Vendor
Gnu
Status
Bash
Vendor
CVE Published:
28 November 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A flaw in the disable_priv_mode function in shell.c of GNU Bash allows an attacker with command execution rights to exploit the incorrect handling of user IDs. This vulnerability arises when Bash runs with an effective UID different from the real UID, failing to drop the saved UID correctly on systems that support it. Skilled attackers can leverage this flaw by executing 'enable -f' to load a new builtin, potentially gaining elevated privileges using a shared object that calls setuid(). Notably, binaries operating with an effective UID of 0 are not affected by this issue.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-18276
Created by M-ensimag

References

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4...
mailing-listx_refsource_MLIST
https://security.gentoo.org/glsa/202105-34
vendor-advisoryx_refsource_GENTOO
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.