Re: BASH buffer overflow, LiNUX x86 exploit

[jkatz () CPIO NET (J. Joseph Max Katz)]

Hmmmmmm, locate.

Long filenames affect locate on all platforms. One of the places
where I contract uses locate regularly on SunOS, AIX, Solaris and
HP/UX.  On most if not all of those platforms, locate seg faults
on large file names.

-Jon

me ---> ()   () <-- Gale
       _[]_._)(_
  /^\/  |     |  \/^\   So what? ASCII can't do my car justice.
  |*||  |  O  |  ||*|   Jonathan Katz, CEO CPIO Networks, Inc.
  [o]|  |  o  |  |[o]   (408) 569-7092 [ ] jkatz () cpio net
  \_/ \---------/ \_/   http://www.cpio.net [ ] "offering OpenBSD
 <|=| -[58vette]- |=|>   technical support, on-site Unix and
  |=|             |=|    network security services and training."

On Sat, 19 Sep 1998, Crispin Cowan wrote:

:Date: Sat, 19 Sep 1998 19:14:06 -0700
:From: Crispin Cowan <crispin () CSE OGI EDU>
:To: BUGTRAQ () NETSPACE ORG
:Subject: Re: BASH buffer overflow, LiNUX x86 exploit
:
:While experimentin with MiG's exploit, I've discovered another
ramification of this form of
:vulnerability: the locate facility.  If you leave the huge directory
tree that this exploit
:builds lying around over night, and you have locate installed in your
crontab (default in Red
:Hat Linux) then it builds a locate database entry that causes the
locate command to seg fault.
:Result:  if root uses locate to find something (very common while
sysadmin is trying to
:fix/find something) then the attacker may get root privs via the locate
command.
:
:Related question:  I have been unable to get MiG's exploit to work.
I have RH 5.1 installed,
:but I made sure to get bash 1.14.7(1) to test it.  It builds the big
nasty directory tree, but
:cd'ing to it as instructed just produces a seg fault.