Bugtraq mailing list archives
Re: Buffer overflow in /bin/bash
From: doctorkb () NETBISTRO COM (Kris Benson)
Date: Tue, 26 Aug 1997 17:01:53 -0700
On Thu, 21 Aug 1997, Razvan Dragomirescu wrote:
PS1=\h:\w\$
[deletia]
By writing past the end of this buffer, you can execute arbitrary code.
A similar thing can be accomplished with back ticks... try this: PS1="\h:\w \`ls -C\` It's a little easier, and (seemingly) accomplishes the same thing, does it not, in addition to being platform independant? If someone can modify your prompt, chances are they also have the ability to modify your path. This could include a directory right at the start of the path that has a trojan version of su(1) or something similar installed. Buffer overflows are cool, but more obvious things can be even more insecure. I'm not sure either of these are really security holes, but they may be considered bugs -- something worth noting would be that noone should be able to change these variables on you -- your .profile should be writeable only by owner, and possibly only readable by owner, as well. -kb
Current thread:
- Buffer overflow in /bin/bash Razvan Dragomirescu (Aug 21)
- Re: Buffer overflow in /bin/bash Kris Benson (Aug 26)