Bugtraq mailing list archives
Re: BASH buffer overflow, LiNUX x86 exploit
From: jkatz () CPIO NET (J. Joseph Max Katz)
Date: Sat, 19 Sep 1998 22:48:46 -0700
Hmmmmmm, locate. Long filenames affect locate on all platforms. One of the places where I contract uses locate regularly on SunOS, AIX, Solaris and HP/UX. On most if not all of those platforms, locate seg faults on large file names. -Jon me ---> () () <-- Gale _[]_._)(_ /^\/ | | \/^\ So what? ASCII can't do my car justice. |*|| | O | ||*| Jonathan Katz, CEO CPIO Networks, Inc. [o]| | o | |[o] (408) 569-7092 [ ] jkatz () cpio net \_/ \---------/ \_/ http://www.cpio.net [ ] "offering OpenBSD <|=| -[58vette]- |=|> technical support, on-site Unix and |=| |=| network security services and training." On Sat, 19 Sep 1998, Crispin Cowan wrote: :Date: Sat, 19 Sep 1998 19:14:06 -0700 :From: Crispin Cowan <crispin () CSE OGI EDU> :To: BUGTRAQ () NETSPACE ORG :Subject: Re: BASH buffer overflow, LiNUX x86 exploit : :While experimentin with MiG's exploit, I've discovered another ramification of this form of :vulnerability: the locate facility. If you leave the huge directory tree that this exploit :builds lying around over night, and you have locate installed in your crontab (default in Red :Hat Linux) then it builds a locate database entry that causes the locate command to seg fault. :Result: if root uses locate to find something (very common while sysadmin is trying to :fix/find something) then the attacker may get root privs via the locate command. : :Related question: I have been unable to get MiG's exploit to work. I have RH 5.1 installed, :but I made sure to get bash 1.14.7(1) to test it. It builds the big nasty directory tree, but :cd'ing to it as instructed just produces a seg fault.
Current thread:
- BASH buffer overflow, LiNUX x86 exploit MiG (Sep 05)
- <Possible follow-ups>
- Re: BASH buffer overflow, LiNUX x86 exploit Crispin Cowan (Sep 19)
- Re: BASH buffer overflow, LiNUX x86 exploit J. Joseph Max Katz (Sep 19)
- Locate overflow / Promiscuous mode / Posting tips David J. Meltzer (Sep 19)