Re: bash overflows

From: Jason Slagle (raistlinat_private)
Date: Fri Jun 08 2001 - 08:06:09 PDT

Next message: Nicolás Gómez: "Crack Office XP"

Previous message: KF: "Re: Returned post ... Expect overflows"
In reply to: KF: "bash overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 5 Jun 2001, KF wrote:

> I have seen at least one post for linux bash overflows but not much
> follow up for other OS's.
> http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26tid%3D13697%26end%3D2001-06-09%26threads%3D0%26start%3D2001-06-03%26
> This seems to affect bash and csh and tcsh on SCO and SunOS both.
> 
> [6:55pm]@[medusa]#uname -a
> SunOS medusa 5.7 Generic_106541-12 sun4m sparc SUNW,SPARCstation-5
> [6:55pm]@[medusa]#gdb bash
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "sparc-sun-solaris2.7"...
> (gdb) run
> Starting program: /usr/local/bin/bash
> cannot stat /var/adm/utmpx.  Please "unset watch".
> bash-2.03$ export TERM=`perl  -e 'print "A" x 7000'`
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1
> (gdb) bt
> #0  0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1
> #1  0xef7572d4 in setupterm () from /usr/lib/libcurses.so.1
> #2  0xef758cd4 in tgetent () from /usr/lib/libcurses.so.1
> Cannot access memory at address 0x41414179.
> (gdb)

Actually, this looks like an ncurses overflow.

export TERM=`perl -e 'print "A" x 7000'`
export EDITOR=pico
chsh

Pico dumps core

Is it suid root when it does so?  If so it may be exploitable.

Jason

-- 
Jason Slagle - CCNP - CCDP
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlinat_private - jslagleat_private - WHOIS JS10172
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ /   ASCII Ribbon Campaign  . If dreams are like movies then memories
 X  - NO HTML/RTF in e-mail  .   are films about ghosts..
/ \ - NO Word docs in e-mail .     - Adam Duritz - Counting Crows

Next message: Nicolás Gómez: "Crack Office XP"
Previous message: KF: "Re: Returned post ... Expect overflows"
In reply to: KF: "bash overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 13:58:21 PDT