Vulnerability Development mailing list archives

Re: Buffer overflow in awk

From: Jeff Fields <admin () forsite net>
Date: Mon, 18 Mar 2002 14:09:03 -0500 (EST)

[xplosive@dr4g0n]~$ echo 'BEGIN {system("id")}' | awk -f /dev/stdin
uid=500(xplosive) gid=500(xplosive) groups=500(xplosive)

?

On Sun, 17 Mar 2002, Pavel Kankovsky wrote:

Date: Sun, 17 Mar 2002 15:48:43 +0100 (MET)
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
To: Kurt Seifried <bugtraq () seifried org>
Cc: vuln-dev () securityfocus com
Subject: Re: Buffer overflow in awk

On Fri, 15 Mar 2002, Kurt Seifried wrote:

So you are willing to guarentee to us that this awk bug will never be
exploitable by an attacker in any circumstance? Cool. Oh wait, that's
totally bogus.


No. I can guarantee that a person who can pass arbitrary values to awk's
-f option controls the account running such an instance of (GNU) awk
without having to resort to the buffer overflow being discussed.

Just try those two commands:

  echo 'BEGIN {system("command of your choice")}' > /tmp/blah
  awk -f blah

Or this single command:

  echo 'BEGIN {system("command of your choice")}' | awk -f /dev/stdin

Of course, the buffer overflow is a bug and it should be fixed.
But it is not a real security hole because -f's parameter is a trusted
input channel.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


-- 

---------------------------------------------------
Jeff Fields <admin () forsite net> - 1 (877) 467-2748
ForSite Web Services, Inc. - http://www.forsite.com
---------------------------------------------------

Current thread:

Re: Buffer overflow in awk, (continued)
- - Re: Buffer overflow in awk Walter Jr. (Mar 15)
    - Re: Buffer overflow in awk Charles-Edouard Ruault (Mar 15)
    - Re: Buffer overflow in awk JW (Mar 26)
- Re: Buffer overflow in awk Jason Stover (Mar 15)
- Re: Buffer overflow in awk wu2ftpd-ovich (Mar 15)
- Re: Buffer overflow in awk Enphourell Security (Mar 19)
- RE: Buffer overflow in awk Mike Batchelder (Mar 15)
  - Re: Buffer overflow in awk sekure (Mar 15)
    - Re: Buffer overflow in awk Kurt Seifried (Mar 15)
    - Re: Buffer overflow in awk Pavel Kankovsky (Mar 17)
    - Re: Buffer overflow in awk Jeff Fields (Mar 19)
    - Re: Buffer overflow in awk Jirka Kosina (Mar 20)
    - Re: Buffer overflow in awk nilton . gs . sc (Mar 15)
    - Re: Buffer overflow in awk Rui Miguel Silva Seabra (Mar 15)
- RE: Buffer overflow in awk dong-h0un U (Mar 15)
- Re: Buffer overflow in awk zero (Mar 16)
  - Re: Buffer overflow in awk Crist J. Clark (Mar 17)
  - Re: Buffer overflow in awk Jose Nazario (Mar 18)
- RE: Buffer overflow in awk Kosh Naranek (Mar 17)
  - RE: Buffer overflow in awk Hani Mustafa (Mar 24)
    - Re: Buffer overflow in awk Elan Hasson (Mar 24)

(Thread continues...)