GNU Bash through 5.0 patch 10 has a privilege-dropping bug in disable_priv_mode (shell.c, lines 1291-1310). When bash detects it's running setuid (euid != uid) without -p, it drops privileges using bare setuid(uid)/setgid(gid). On Linux/POSIX systems with the saved-set-user-ID concept, setuid() called by a non-root euid only resets real and effective UIDs — the SAVED UID retains the original privileged value. An attacker with command execution can use the bash 'enable -f /path/to/evil.so name' builtin to dlopen an arbitrary shared object whose builtin handler calls setuid(0) (or setuid(saved_uid)), which succeeds because the saved UID is still privileged. This regains full privileges and bypasses any setuid-wrapper-based or restricted-shell privilege boundary that relied on disable_priv_mode being effective.
b34ca9cd-b944-4007-ab8b-08c20c20a20d
GNU Bash through 5.0 patch 10 has a privilege-dropping bug in disable_priv_mode (shell.c, lines 1291-1310). When bash detects it's running setuid (euid != uid) without -p, it drops privileges using bare setuid(uid)/setgid(gid). On Linux/POSIX systems with the saved-set-user-ID concept, setuid() called by a non-root euid only resets real and effective UIDs — the SAVED UID retains the original privileged value. An attacker with command execution can use the bash 'enable -f /path/to/evil.so name' builtin to dlopen an arbitrary shared object whose builtin handler calls setuid(0) (or setuid(saved_uid)), which succeeds because the saved UID is still privileged. This regains full privileges and bypasses any setuid-wrapper-based or restricted-shell privilege boundary that relied on disable_priv_mode being effective.