Maybe I havent' had enough coffee this morning, but assuming one can exploit this, how likely is it that you will gain anything by it? I can't see awk being used in cgi, or in any situation where privileges are likely to be gained. Am I missing something? binky |-----Original Message----- |From: keoki [mailto:keokiat_private] |Sent: Thursday, March 14, 2002 7:41 PM |To: vuln-devat_private |Subject: Buffer overflow in awk | | | | |A buffer overflow exist in awk(named awk on most |systems, but actualy is gawk/GNU awk) when calling |the -f option, to include an awk script, and supplying a |filename with a buffer length of 1022 and up. | | |[root@neural keoki]# awk -f `perl -e 'print "A" x 1022'` |awk: fatal error: internal error |Abort (core dumped) |[root@neural keoki]# awk -f `perl -e 'print "A" x 2048'` |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAA: fatal error: internal error |Abort (core dumped) |[root@neural keoki]# | |The bug exist in io.c in function do_pathopen | |/* do_pathopen --- search $AWKPATH for source file |*/ | |static int |do_pathopen(file) |const char *file; |{ |static const char *savepath = NULL; |static int first = TRUE; |const char *awkpath; |char *cp, trypath[BUFSIZ]; |int fd; | |if (STREQ(file, "-")) |return (0); | |if (do_traditional) |return (devopen(file, "r")); | |if (first) { |first = FALSE; |if ((awkpath = getenv("AWKPATH")) != |NULL && *awkpath) |savepath = awkpath; /* used for |restarting */ |else |savepath = defpath; |} |awkpath = savepath; | |/* some kind of path name, no search */ |if (ispath(file)) |return (devopen(file, "r")); | |do { |trypath[0] = '\0'; | | |/* this should take into account limits on size of |trypath */ |for (cp = trypath; *awkpath && *awkpath != |envsep; ) |*cp++ = *awkpath++; | |if (cp != trypath) { /* nun-null element in |path */ |/* add directory punctuation only if |needed */ |if (! isdirpunct(*(cp-1))) |*cp++ = '/'; |/* append filename */ |strcpy(cp, file); |} else |strcpy(trypath, file); |if ((fd = devopen(trypath, "r")) > |INVALID_HANDLE) |return (fd); | |/* no luck, keep going */ |if(*awkpath == envsep && awkpath[1] ! |= '\0') |awkpath++; /* skip colon */ |} while (*awkpath != '\0'); |/* |* You might have one of the awk paths defined, |WITHOUT the current |* working directory in it. Therefore try to open |the file in the |* current directory. |*/ |return (devopen(file, "r")); | |} | | |It can also be crashed with an env variable as follows | |[root@neural keoki]# env AWKPATH=`perl - |e 'print "A" x 2048'` awk -f xx |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |AAAAAAAAAAAA/e/keoki: fatal error: internal error |Abort (core dumped) |[root@neural keoki]# | | | |This was tested on FreeBSD platform(fbsd 4.0 && |4.4) against awk(which is actually gnu awk) versions |3.0.6 && 3.0.4 | |[root@neural keoki]# awk -W version | sed -n '1p' |GNU Awk 3.0.6 |[root@neural keoki]# | |[root@keoki][~]# awk -W version | sed -n '1p' |GNU Awk 3.0.4 |[root@keoki][~]# | | |This was also tested on caldera and mandrake, and |worked, but using a significantly higher buffer length. | | |Shouts: aho, weinberger, kernighan and #ch0wn | | |-- keoki |-- keokiat_private |-- http://sleek.cyberarmy.com |
This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 10:27:13 PST