|
|
Vuln Dev
Bash Blues. Feb 13 2003 02:26PM uk2sec oakey no-ip com (5 replies) Re: Bash Blues. Feb 13 2003 05:34PM Roland Postle (mail blazde co uk) (1 replies) glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Feb 15 2003 06:54AM 3APA3A (3APA3A SECURITY NNOV RU) (1 replies) Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Feb 15 2003 09:30PM Vladamir Shmirnov (red_vigil yahoo com) (2 replies) Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Feb 16 2003 10:19AM spacewalker (spacewalker altern org) Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Feb 16 2003 01:54AM Roland Postle (mail blazde co uk) Re: Bash Blues. Feb 13 2003 05:29PM TerraTrans Security (NimaDeus pandora be) (1 replies) |
|
Privacy Statement |
-----Original Message-----
From: uk2sec (at) oakey.no-ip (dot) com [email concealed] [mailto:uk2sec (at) oakey.no-ip (dot) com [email concealed]]
Sent: Friday, 14 February 2003 12:27 AM
To: vuln-dev (at) securityfocus (dot) com [email concealed]
Subject: Bash Blues.
[ Moderator: Post Edited Accordingly ]
uk2sec /bin/bash Advisory
By sending a perl request on the GNU bash terminal we can cause a
Segmentation Fault.
Work done was based on:
GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
(Redhat 7.3)
The basis for this advisory is theoretical - Although not a current
security risk, a technique yet to be developed may allow exploitation.
Background:
During some work, I noticed GNU bash could be crashed by sending a
malformed perl request to the terminal.
example: `perl -e 'print "*/*" x 3500'`
<bash crashes>
(exact amount is: `perl -e 'print "*/*" x 2338'`)
This crash overwrites the ecx register on X86 (linux RH 7.3) systems,
and
r23 on HPUX (11.00).
X86: ecx: 0x2f2f2f2f 791621423
HPUX r23: 2f2f2f2f00001e6e
This overflow may allow us to execute arbitrary code with the uid of the
person who crashes the shell. Since bash is not suid, this isn't a big
problem unless a special exploitation method can be created.
To reproduce the seg fault, you must enclose the perl request with ` ` .
` perl -e.... etc.. ` CORRECT
perl -e.... etc.. DOESN'T WORK
We have looked at ways to generate an exploit for this, however so far
nothing 'obvious' has been found. We tried creating a deep directory
structure which would be followed by something like a /tmp directory
watcher, however we are unable to create a directory 3500 folders deep.
Perhaps something with sym-links could be used to do this, and the
directory structure could contain our executable asm code.? Not tested,
just thoughts.
Furthermore we found several ways decrese the performance of a linux
machine to almost a stand still, however that is not part of this
advisory and can be disabled using resource limits on the server. For
more information feel free to contact uk2sec (at) oakey.no-ip (dot) com. [email concealed]
Thanks for your time,
uk2sec
c0wd0g.
c0w_d0g3 (at) yahoo.co (dot) uk [email concealed]
uk2sec (at) oakey.no-ip (dot) com [email concealed]
Memebers:
c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com).
[ reply ]