Vulnerability Development mailing list archives
Re: bash overflows
From: Jason Slagle <raistlin () tacorp net>
Date: Fri, 8 Jun 2001 11:06:09 -0400 (EDT)
On Tue, 5 Jun 2001, KF wrote:
I have seen at least one post for linux bash overflows but not much follow up for other OS's. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26tid%3D13697%26end%3D2001-06-09%26threads%3D0%26start%3D2001-06-03%26 This seems to affect bash and csh and tcsh on SCO and SunOS both. [6:55pm]@[medusa]#uname -a SunOS medusa 5.7 Generic_106541-12 sun4m sparc SUNW,SPARCstation-5 [6:55pm]@[medusa]#gdb bash GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.7"... (gdb) run Starting program: /usr/local/bin/bash cannot stat /var/adm/utmpx. Please "unset watch". bash-2.03$ export TERM=`perl -e 'print "A" x 7000'` Program received signal SIGSEGV, Segmentation fault. 0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1 (gdb) bt #0 0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1 #1 0xef7572d4 in setupterm () from /usr/lib/libcurses.so.1 #2 0xef758cd4 in tgetent () from /usr/lib/libcurses.so.1 Cannot access memory at address 0x41414179. (gdb)
Actually, this looks like an ncurses overflow. export TERM=`perl -e 'print "A" x 7000'` export EDITOR=pico chsh Pico dumps core Is it suid root when it does so? If so it may be exploitable. Jason -- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin () tacorp net - jslagle () toledolink com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
Current thread:
- bash overflows KF (Jun 05)
- Re: bash overflows Jason Slagle (Jun 08)