Re: Buffer overflow in awk

[Jirka Kosina <jikos () jikos cz>]

On Mon, 18 Mar 2002, Jeff Fields wrote:

> > > So you are willing to guarentee to us that this awk bug will never be
> > > exploitable by an attacker in any circumstance? Cool. Oh wait, that's
> > > totally bogus.
> > No. I can guarantee that a person who can pass arbitrary values to awk's
> > -f option controls the account running such an instance of (GNU) awk
> > without having to resort to the buffer overflow being discussed.
> [xplosive@dr4g0n]~$ echo 'BEGIN {system("id")}' | awk -f /dev/stdin
> uid=500(xplosive) gid=500(xplosive) groups=500(xplosive)
> ?

What's unclear about that?

If you are somehow able to pass commands to 'awk -f' process running under 
another user's priviledges, you don't have to bother with that buffer 
overflow, which of course is a bug to be fixed, but you can simply run any 
command with that other user's priviledges using awk's system() function.

-- 
JiKos.