Vulnerability Development mailing list archives
Bash Blues.
From: uk2sec () oakey no-ip com
Date: Thu, 13 Feb 2003 14:26:51 +0000 (GMT)
[ Moderator: Post Edited Accordingly ] uk2sec /bin/bash Advisory By sending a perl request on the GNU bash terminal we can cause a Segmentation Fault. Work done was based on: GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu) (Redhat 7.3) The basis for this advisory is theoretical - Although not a current security risk, a technique yet to be developed may allow exploitation. Background: During some work, I noticed GNU bash could be crashed by sending a malformed perl request to the terminal. example: `perl -e 'print "*/*" x 3500'` <bash crashes> (exact amount is: `perl -e 'print "*/*" x 2338'`) This crash overwrites the ecx register on X86 (linux RH 7.3) systems, and r23 on HPUX (11.00). X86: ecx: 0x2f2f2f2f 791621423 HPUX r23: 2f2f2f2f00001e6e This overflow may allow us to execute arbitrary code with the uid of the person who crashes the shell. Since bash is not suid, this isn't a big problem unless a special exploitation method can be created. To reproduce the seg fault, you must enclose the perl request with ` ` . ` perl -e.... etc.. ` CORRECT perl -e.... etc.. DOESN'T WORK We have looked at ways to generate an exploit for this, however so far nothing 'obvious' has been found. We tried creating a deep directory structure which would be followed by something like a /tmp directory watcher, however we are unable to create a directory 3500 folders deep. Perhaps something with sym-links could be used to do this, and the directory structure could contain our executable asm code.? Not tested, just thoughts. Furthermore we found several ways decrese the performance of a linux machine to almost a stand still, however that is not part of this advisory and can be disabled using resource limits on the server. For more information feel free to contact uk2sec () oakey no-ip com. Thanks for your time, uk2sec c0wd0g. c0w_d0g3 () yahoo co uk uk2sec () oakey no-ip com Memebers: c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com).
Current thread:
- Bash Blues. uk2sec (Feb 13)
- Re: Bash Blues. Andrew Walkingshaw (Feb 13)
- Re: Bash Blues. Kurt Seifried (Feb 14)
- Re: Bash Blues. Dack (Feb 14)
- Re: Bash Blues. Roland Postle (Feb 14)
- glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Vladamir Shmirnov (Feb 15)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Roland Postle (Feb 16)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) spacewalker (Feb 16)
- glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
- Re: Bash Blues. Andrew Walkingshaw (Feb 13)
- Re: Bash Blues. TerraTrans Security (Feb 14)
- A different bash blues admin (Feb 15)