Bugtraq mailing list archives

Re: BASH buffer overflow, LiNUX x86 exploit

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sat, 19 Sep 1998 19:14:06 -0700


While experimentin with MiG's exploit, I've discovered another ramification of this form of
vulnerability: the locate facility.  If you leave the huge directory tree that this exploit
builds lying around over night, and you have locate installed in your crontab (default in Red
Hat Linux) then it builds a locate database entry that causes the locate command to seg fault.
Result:  if root uses locate to find something (very common while sysadmin is trying to
fix/find something) then the attacker may get root privs via the locate command.

Related question:  I have been unable to get MiG's exploit to work.  I have RH 5.1 installed,
but I made sure to get bash 1.14.7(1) to test it.  It builds the big nasty directory tree, but
cd'ing to it as instructed just produces a seg fault.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98

Current thread:

BASH buffer overflow, LiNUX x86 exploit MiG (Sep 05)
- <Possible follow-ups>
- Re: BASH buffer overflow, LiNUX x86 exploit Crispin Cowan (Sep 19)
  - Re: BASH buffer overflow, LiNUX x86 exploit J. Joseph Max Katz (Sep 19)
  - Locate overflow / Promiscuous mode / Posting tips David J. Meltzer (Sep 19)