Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bash overflows

From: Jason Slagle <raistlin () tacorp net>
Date: Fri, 8 Jun 2001 11:06:09 -0400 (EDT)
On Tue, 5 Jun 2001, KF wrote:


I have seen at least one post for linux bash overflows but not much
follow up for other OS's.
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26tid%3D13697%26end%3D2001-06-09%26threads%3D0%26start%3D2001-06-03%26
This seems to affect bash and csh and tcsh on SCO and SunOS both.

[6:55pm]@[medusa]#uname -a
SunOS medusa 5.7 Generic_106541-12 sun4m sparc SUNW,SPARCstation-5
[6:55pm]@[medusa]#gdb bash
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) run
Starting program: /usr/local/bin/bash
cannot stat /var/adm/utmpx.  Please "unset watch".
bash-2.03$ export TERM=`perl  -e 'print "A" x 7000'`

Program received signal SIGSEGV, Segmentation fault.
0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1
(gdb) bt
#0  0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1
#1  0xef7572d4 in setupterm () from /usr/lib/libcurses.so.1
#2  0xef758cd4 in tgetent () from /usr/lib/libcurses.so.1
Cannot access memory at address 0x41414179.
(gdb)


Actually, this looks like an ncurses overflow.

export TERM=`perl -e 'print "A" x 7000'`
export EDITOR=pico
chsh

Pico dumps core

Is it suid root when it does so?  If so it may be exploitable.

Jason

-- 
Jason Slagle - CCNP - CCDP
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlin () tacorp net - jslagle () toledolink com - WHOIS JS10172
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ /   ASCII Ribbon Campaign  . If dreams are like movies then memories
 X  - NO HTML/RTF in e-mail  .   are films about ghosts..
/ \ - NO Word docs in e-mail .     - Adam Duritz - Counting Crows
Previous By Date Next
Previous By Thread Next

Current thread: