Welcome Guest!
 Glug-Nilgiris
 Previous Message All Messages Next Message 
[GN][FYI:] Bash Blues. (fwd)  Vijay Kumar
 Feb 14, 2003 17:57 PST 
---------- Forwarded message ----------
Date: Thu, 13 Feb 2003 14:26:51 +0000 (GMT)
From: uk2-@oakey.no-ip.com
To: vuln-@securityfocus.com
Subject: Bash Blues.

[ Moderator: Post Edited Accordingly ]

uk2sec /bin/bash Advisory

By sending a perl request on the GNU bash terminal we can cause a
Segmentation Fault.

Work done was based on:
GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
(Redhat 7.3)

The basis for this advisory is theoretical - Although not a current
security risk, a technique yet to be developed may allow exploitation.

Background:

During some work, I noticed GNU bash could be crashed by sending a
malformed perl request to the terminal.

example: `perl -e 'print "*/*" x 3500'`
<bash crashes>

(exact amount is: `perl -e 'print "*/*" x 2338'`)

This crash overwrites the ecx register on X86 (linux RH 7.3) systems, and
r23 on HPUX (11.00).

X86: ecx: 0x2f2f2f2f 791621423
HPUX r23: 2f2f2f2f00001e6e

This overflow may allow us to execute arbitrary code with the uid of the
person who crashes the shell. Since bash is not suid, this isn't a big
problem unless a special exploitation method can be created.

To reproduce the seg fault, you must enclose the perl request with ` ` .

` perl -e.... etc.. `       CORRECT
   perl -e.... etc..          DOESN'T WORK

We have looked at ways to generate an exploit for this, however so far
nothing 'obvious' has been found. We tried creating a deep directory
structure which would be followed by something like a /tmp directory
watcher, however we are unable to create a directory 3500 folders deep.
Perhaps something with sym-links could be used to do this, and the
directory structure could contain our executable asm code.? Not tested,
just thoughts.

Furthermore we found several ways decrese the performance of a linux
machine to almost a stand still, however that is not part of this
advisory and can be disabled using resource limits on the server. For
more information feel free to contact uk2-@oakey.no-ip.com.

Thanks for your time,

uk2sec

c0wd0g.

c0w_-@yahoo.co.uk
uk2-@oakey.no-ip.com

Memebers:
c0w_d0g (c0w_d-@|yahoo.co.uk), deadbeat (deadb-@|hush.com).

--
-vi
 Previous Message All Messages Next Message 
  Check It Out!

  Topica Channels
 Best of Topica
 Art & Design
 Books, Movies & TV
 Developers
 Food & Drink
 Health & Fitness
 Internet
 Music
 News & Information
 Personal Finance
 Personal Technology
 Small Business
 Software
 Sports
 Travel & Leisure
 Women & Family

  Start Your Own List!
Email lists are great for debating issues or publishing your views.
Start a List Today!

© 2001 Topica Inc. TFMB
Concerned about privacy? Topica is TrustE certified.
See our Privacy Policy.