Warning
This only works on versions of Bash before v4.4!
When Bash is in debugging mode (SHELLOPTS=xtrace
), the $PS4
prompt is used to display debugging information.
It would appear that this prompt somehow inherits the permissions of the executable being run. This includes SUID/SGID permissions (at least for Bash < 4.4)!
If you have access to a SUID/SGID executable, this can be abused to create root shells:
Again, this only works if the calling application is relying on the current shell for helper execution.