Re: CVE Request: Overflow fix in bash 4.2 patch 33

[Marcus Meissner <meissner () suse de>]

On Wed, Jul 11, 2012 at 11:29:22AM -0600, Kurt Seifried wrote:
> On 07/11/2012 10:15 AM, Marcus Meissner wrote:
> > Hi,
> >
> > the bash maintainer kindly mailed us and other vendors a
> > notification of a overflow in the bash "test" builtin when
> > "/dev/fd/..." filenames are used.
> >
> > ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033
> >
> > Reproducer: test -e /dev/fd/111111111111111111111111111111111
> >
> > Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely
> > also by -fstack-protector (not tested)
> >
> > Goes all the way back to old bashes.
> >
> > The likeliness of people able to inject those filenames into shell
> > scripts and not being able to execute shellcode themselves is
> > however slim. (setuid root shell scripts are not possible.)
> >
> > Security (CVE) relevant scenario we thought of is breaking out of
> > a restricted shell mode.
> >
> > Ciao, Marcus
>
> Can you give a more concrete example, e.g. you're talking about
> http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html
> I assume? Are we simply talking about violating those restrictions?

Yes. Breaking out of the restricted shell using this issue.

$ bash -r
bash: /dev/pts/9: Gesperrt: Die Ausgabe darf nicht umgeleitet werden.
$ test -f /dev/fd/111111111111111111111111111111111111111111111111111111111111111
*** buffer overflow detected ***: bash terminated
...

So basically without fortification measures you can inject a ASCII based
shell-code to execute code you shouldn't.

(One can argue that of how secure you evaluate restricted shells ...)

Ciao, Marcus