GNU Bash SUID Priviledge Drop Vulnerability

Recently, a security researcher disclosed a 0-day vulnerability in /bin/bash, tracked as CVE-2019-18276. The vulnerability exists due to a bug in the privilege dropping feature of Bash.

Affected Versions:

Bash 5.0 Patch 11 and prior versions


An issue was discovered in disable_priv_mode() in shell.c of GNU Bash, which doesn’t handle setuid bit correctly. If the Real UID is different from the Effective UID then bash will drop the SUID privilege but fails to drop the Saved UID.

What is Real, Effective and Saved UID, as per the

Real UserID : The owner of the process.
Effective UserID : It is normally same as Real UserID, but sometimes it is changed to enable a non-privileged user to access files that can only be accessed by root.
Saved UserID : It is used when a process is running with elevated privileges (generally root) needs to do some under-privileged work, this can be achieved by temporarily switching to non-privileged account.

An attacker with shell access can use “enable -f” for a shared object file that calls setuid() and therefore able to recover the dropped privilege.

Proof of concept:

A proof-of-concept to exploit this vulnerability was released on Exploit-DB.

Bash Owned by ‘Victim’ user with suid
Secret file in Victim’s directory
Attacker (mikey) don’t have permission to read victim’s secret file
Successful exploitation using victim’s effective User ID (owner of the SUID /bin/bash binary)

Users can also use this docker image to reproduce the vulnerability.

Alice recovered the dropped privilege of bob


Qualys customers can scan their network with QID#372268 to detect vulnerable assets. Linux vendors such as Redhat, Ubuntu etc has not yet released their official advisory for patches. Qualys will add few more QID’s as soon the advisories gets released.

Please continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

References & Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *