Vulnerability Development mailing list archives

RE: Buffer overflow in awk

From: Mike Batchelder <mikeb () counterpane com>
Date: Fri, 15 Mar 2002 09:43:10 -0800

Maybe I havent' had enough coffee this morning, but assuming one can exploit this, how likely is it that you will gain 
anything by it?  I can't see awk being used in cgi, or in any situation where privileges are likely to be gained.  Am I 
missing something?

binky

|-----Original Message-----
|From: keoki [mailto:keoki () techie com]
|Sent: Thursday, March 14, 2002 7:41 PM
|To: vuln-dev () securityfocus com
|Subject: Buffer overflow in awk
|
|
|
|
|A buffer overflow exist in awk(named awk on most 
|systems, but actualy is gawk/GNU awk) when calling 
|the -f option, to include an awk script, and supplying a 
|filename with a buffer length of 1022 and up. 
|
|
|[root@neural keoki]# awk -f `perl -e 'print "A" x 1022'` 
|awk: fatal error: internal error 
|Abort (core dumped) 
|[root@neural keoki]# awk -f `perl -e 'print "A" x 2048'` 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAA: fatal error: internal error 
|Abort (core dumped) 
|[root@neural keoki]# 
|
|The bug exist in io.c in function do_pathopen 
|
|/* do_pathopen --- search $AWKPATH for source file 
|*/ 
|
|static int 
|do_pathopen(file) 
|const char *file; 
|{ 
|static const char *savepath = NULL; 
|static int first = TRUE; 
|const char *awkpath; 
|char *cp, trypath[BUFSIZ]; 
|int fd; 
|
|if (STREQ(file, "-")) 
|return (0); 
|
|if (do_traditional) 
|return (devopen(file, "r")); 
|
|if (first) { 
|first = FALSE; 
|if ((awkpath = getenv("AWKPATH")) != 
|NULL && *awkpath) 
|savepath = awkpath; /* used for 
|restarting */ 
|else 
|savepath = defpath; 
|} 
|awkpath = savepath; 
|
|/* some kind of path name, no search */ 
|if (ispath(file)) 
|return (devopen(file, "r")); 
|
|do { 
|trypath[0] = '\0'; 
|
|
|/* this should take into account limits on size of 
|trypath */ 
|for (cp = trypath; *awkpath && *awkpath != 
|envsep; ) 
|*cp++ = *awkpath++; 
|
|if (cp != trypath) { /* nun-null element in 
|path */ 
|/* add directory punctuation only if 
|needed */ 
|if (! isdirpunct(*(cp-1))) 
|*cp++ = '/'; 
|/* append filename */ 
|strcpy(cp, file); 
|} else 
|strcpy(trypath, file); 
|if ((fd = devopen(trypath, "r")) > 
|INVALID_HANDLE) 
|return (fd); 
|
|/* no luck, keep going */ 
|if(*awkpath == envsep && awkpath[1] ! 
|= '\0') 
|awkpath++; /* skip colon */ 
|} while (*awkpath != '\0'); 
|/* 
|* You might have one of the awk paths defined, 
|WITHOUT the current 
|* working directory in it. Therefore try to open 
|the file in the 
|* current directory. 
|*/ 
|return (devopen(file, "r")); 
|
|} 
|
|
|It can also be crashed with an env variable as follows 
|
|[root@neural keoki]# env AWKPATH=`perl - 
|e 'print "A" x 2048'` awk -f xx 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
|AAAAAAAAAAAA/e/keoki: fatal error: internal error 
|Abort (core dumped) 
|[root@neural keoki]# 
|
|
|
|This was tested on FreeBSD platform(fbsd 4.0 && 
|4.4) against awk(which is actually gnu awk) versions 
|3.0.6 && 3.0.4 
|
|[root@neural keoki]# awk -W version | sed -n '1p' 
|GNU Awk 3.0.6 
|[root@neural keoki]# 
|
|[root@keoki][~]# awk -W version | sed -n '1p' 
|GNU Awk 3.0.4 
|[root@keoki][~]# 
|
|
|This was also tested on caldera and mandrake, and 
|worked, but using a significantly higher buffer length. 
|
|
|Shouts: aho, weinberger, kernighan and #ch0wn 
|
|
|-- keoki 
|-- keoki () techie com 
|-- http://sleek.cyberarmy.com 
|

Current thread:

Buffer overflow in awk keoki (Mar 14)
- RE: Buffer overflow in awk Max (Mar 15)
  - Re: Buffer overflow in awk Walter Jr. (Mar 15)
    - Re: Buffer overflow in awk Charles-Edouard Ruault (Mar 15)
    - Re: Buffer overflow in awk JW (Mar 26)
- Re: Buffer overflow in awk Jason Stover (Mar 15)
- Re: Buffer overflow in awk wu2ftpd-ovich (Mar 15)
- Re: Buffer overflow in awk Enphourell Security (Mar 19)
- <Possible follow-ups>
- RE: Buffer overflow in awk Mike Batchelder (Mar 15)
  - Re: Buffer overflow in awk sekure (Mar 15)
    - Re: Buffer overflow in awk Kurt Seifried (Mar 15)
    - Re: Buffer overflow in awk Pavel Kankovsky (Mar 17)
    - Re: Buffer overflow in awk Jeff Fields (Mar 19)
    - Re: Buffer overflow in awk Jirka Kosina (Mar 20)
    - Re: Buffer overflow in awk nilton . gs . sc (Mar 15)
    - Re: Buffer overflow in awk Rui Miguel Silva Seabra (Mar 15)
- RE: Buffer overflow in awk dong-h0un U (Mar 15)
- Re: Buffer overflow in awk zero (Mar 16)
  - Re: Buffer overflow in awk Crist J. Clark (Mar 17)

(Thread continues...)