Bugtraq mailing list archives
Bash memory exhaustion (was Re: Multiple vendors FTP denial of service)
From: Nick Lamb <njl98r () ECS SOTON AC UK>
Date: Mon, 19 Mar 2001 18:01:29 +0000
On Mon, Mar 19, 2001 at 10:24:43AM -0700, Elias Levy wrote:
From: Liviu Sas <liviu () bv ro> Looks like bash 2.04.0(1)-release an linux, and older are also vulnerable to this bug ... a `ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*` comand makes bash eat all memory and cpu available making the machine crash.
The machine will only crash if you've instructed it to allow bash to allocate memory indefinitely. Unless you trust your users not to be malicious or incompetent you should have kernel-enforced limits in place to prevent this. Set limits on userspace processes, in e.g. Red Hat /etc/security/limits.conf and ensure that your limits reflect the capabilities of the hardware. Getting this perfect is very hard, but getting it good enough to deter casual vandals or thoughtless users is quite easy. It is arguable that the FTP daemon is responsible for doing argument checking to prevent DOS attacks, but bash can hardly be held to the same standard. Nick.
Attachment:
_bin
Description:
Current thread:
- Multiple vendors FTP denial of service Frank DENIS (Jedi/Sector One) (Mar 15)
- Re: Multiple vendors FTP denial of service Jeff Dafoe (Mar 16)
- Re: Multiple vendors FTP denial of service jedi (Mar 16)
- Re: Multiple vendors FTP denial of service Daniel Roesen (Mar 16)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 16)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Bash memory exhaustion (was Re: Multiple vendors FTP denial of service) Nick Lamb (Mar 20)
- Re: Multiple vendors FTP denial of service The Flying Hamster (Mar 21)
- Re: Multiple vendors FTP denial of service Elias Levy (Mar 19)
- Re: Multiple vendors FTP denial of service Mike Gleason (Mar 16)
- Re: Multiple vendors FTP denial of service Crist Clark (Mar 19)
- Re: Multiple vendors FTP denial of service JT (Mar 19)
- Re: Multiple vendors FTP denial of service D. J. Bernstein (Mar 19)
- Re: Multiple vendors FTP denial of service jedi (Mar 20)
- Re: Multiple vendors FTP denial of service Pawel Wilk (Mar 20)
- Re: Multiple vendors FTP denial of service Interstellar Overdrive (Mar 23)
- <Possible follow-ups>
- Re: Multiple vendors FTP denial of service Stefan Laudat (Mar 21)
- Re: Multiple vendors FTP denial of service Nate Eldredge (Mar 22)
(Thread continues...)
- Re: Multiple vendors FTP denial of service Jeff Dafoe (Mar 16)