Vulnerability Development mailing list archives

RE: Bash Blues.

From: "Adam Gilmore" <vuln () optusnet com au>
Date: Fri, 14 Feb 2003 07:44:47 +1000

Verified on Mandrake 8.1, Redhat 7.0 and Debian 3.0.

-----Original Message-----
From: uk2sec () oakey no-ip com [mailto:uk2sec () oakey no-ip com] 
Sent: Friday, 14 February 2003 12:27 AM
To: vuln-dev () securityfocus com
Subject: Bash Blues. 

[ Moderator:  Post Edited Accordingly ]

uk2sec /bin/bash Advisory

By sending a perl request on the GNU bash terminal we can cause a 
Segmentation Fault.

Work done was based on:
        GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
        (Redhat 7.3)

The basis for this advisory is theoretical - Although not a current 
security risk, a technique yet to be developed may allow exploitation.

Background:

During some work, I noticed GNU bash could be crashed by sending a 
malformed perl request to the terminal.

        example:        `perl -e 'print "*/*" x 3500'`
                        <bash crashes>

(exact amount is: `perl -e 'print "*/*" x 2338'`)

This crash overwrites the ecx register on X86 (linux RH 7.3) systems,
and 
r23 on HPUX (11.00).

        X86:            ecx:    0x2f2f2f2f      791621423
        HPUX            r23:    2f2f2f2f00001e6e

This overflow may allow us to execute arbitrary code with the uid of the

person who crashes the shell.  Since bash is not suid, this isn't a big
problem unless a special exploitation method can be created.

To reproduce the seg fault, you must enclose the perl request with ` ` .

`  perl -e.... etc..  `       CORRECT
   perl -e.... etc..          DOESN'T WORK

We have looked at ways to generate an exploit for this, however so far 
nothing 'obvious' has been found.  We tried creating a deep directory 
structure which would be followed by something like a /tmp directory 
watcher, however we are unable to create a directory 3500 folders deep.

Perhaps something with sym-links could be used to do this, and the 
directory structure could contain our executable asm code.?  Not tested,

just thoughts.

Furthermore we found several ways decrese the performance of a linux 
machine to almost a stand still, however that is not part of this 
advisory and can be disabled using resource limits on the server.  For 
more information feel free to contact uk2sec () oakey no-ip com.

Thanks for your time,

uk2sec

c0wd0g.

c0w_d0g3 () yahoo co uk
uk2sec () oakey no-ip com

Memebers:
c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com).

Current thread:

Re: Bash Blues., (continued)
- - Re: Bash Blues. Kurt Seifried (Feb 14)
  - Re: Bash Blues. Dack (Feb 14)
- Re: Bash Blues. Roland Postle (Feb 14)
  - glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) 3APA3A (Feb 15)
    - Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Vladamir Shmirnov (Feb 15)
    - Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) Roland Postle (Feb 16)
    - Re: glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) spacewalker (Feb 16)
- Re: Bash Blues. TerraTrans Security (Feb 14)
  - A different bash blues admin (Feb 15)
    - RE: A different bash blues Adam Gilmore (Feb 16)
- RE: Bash Blues. Adam Gilmore (Feb 14)
- Re: Bash Blues. Peter Pentchev (Feb 14)