Vulnerability Development mailing list archives
Re: Bash Blues.
From: "Kurt Seifried" <kurt () seifried org>
Date: Thu, 13 Feb 2003 21:31:46 -0800
uk2sec /bin/bash Advisory By sending a perl request on the GNU bash terminal we can cause a Segmentation Fault. Work done was based on: GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu) (Redhat 7.3)
Interesting. Logged in via ssh to a red hat 7.3 and an 8.0 system (both are completely up to date) doing that command immediately logs me out (bash falls down badly). Other then that the system is fine, no weird load/etc. For a quick moment bash spikes, but 2.5% cpu usage on a 600 mhz cyrix processor is not exactly scary ditto for memory, 1.2% out of 248 megs (256 - 8 for the built in video) is not worrying. No resource limits are placed on bash via ulimit or the session via pam limits so it's not booting me out because of that. CPU states: 2.5% user, 2.3% system, 0.0% nice, 95.0% idle Mem: 247516K av, 239088K used, 8428K free, 0K shrd, 61180K buff Swap: 262072K av, 14456K used, 247616K free 109576K cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 370 seifried 16 0 3112 3112 1096 R 2.5 1.2 0:00 bash 769 postfix 15 0 1256 1104 1000 S 0.7 0.4 13:52 qmgr 366 seifried 15 0 1064 1064 820 R 0.7 0.4 0:00 top 606 root 15 0 1356 1272 1188 S 0.1 0.5 0:47 sshd On Solaris with bash from sunfreeware (I think): $ /usr/local/bin/bash bash-2.05$ /usr/local/bin/bash --version GNU bash, version 2.05.0(1)-release (sparc-sun-solaris2.8) Copyright 2000 Free Software Foundation, Inc. bash-2.05$ uname -a SunOS sparkplug 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-1 bash-2.05$ `perl -e 'print "*/*" x 2338'` Segmentation Fault - core dumped takes a few seconds but then it seg faults. Who knows, maybe it is exploitable. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- Bash Blues. uk2sec (Feb 13)
- Re: Bash Blues. Andrew Walkingshaw (Feb 13)
- Re: Bash Blues. Kurt Seifried (Feb 14)
- Re: Bash Blues. Dack (Feb 14)
- Re: Bash Blues. Roland Postle (Feb 14)
- glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Vladamir Shmirnov (Feb 15)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Roland Postle (Feb 16)
- Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) spacewalker (Feb 16)
- glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
- Re: Bash Blues. Andrew Walkingshaw (Feb 13)
- Re: Bash Blues. TerraTrans Security (Feb 14)
- A different bash blues admin (Feb 15)
- RE: A different bash blues Adam Gilmore (Feb 16)
- A different bash blues admin (Feb 15)
- RE: Bash Blues. Adam Gilmore (Feb 14)