Re: Buffer overflow in awk

From: Pavel Kankovsky (peakat_private)
Date: Sun Mar 17 2002 - 06:48:43 PST

Next message: Morgan: "try number 2.. SOLARIS LOGIN remote via telnetd"

Previous message: Valgasu: "Securiteinfo.com new tool : Domino Hash Breaker"
In reply to: Kurt Seifried: "Re: Buffer overflow in awk"
Next in thread: Jeff Fields: "Re: Buffer overflow in awk"
Next in thread: nilton.gs.scat_private: "Re: Buffer overflow in awk"
Reply: Jeff Fields: "Re: Buffer overflow in awk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 15 Mar 2002, Kurt Seifried wrote:

> So you are willing to guarentee to us that this awk bug will never be
> exploitable by an attacker in any circumstance? Cool. Oh wait, that's
> totally bogus.

No. I can guarantee that a person who can pass arbitrary values to awk's
-f option controls the account running such an instance of (GNU) awk
without having to resort to the buffer overflow being discussed.

Just try those two commands:

  echo 'BEGIN {system("command of your choice")}' > /tmp/blah
  awk -f blah

Or this single command:

  echo 'BEGIN {system("command of your choice")}' | awk -f /dev/stdin

Of course, the buffer overflow is a bug and it should be fixed.
But it is not a real security hole because -f's parameter is a trusted 
input channel.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Next message: Morgan: "try number 2.. SOLARIS LOGIN remote via telnetd"
Previous message: Valgasu: "Securiteinfo.com new tool : Domino Hash Breaker"
In reply to: Kurt Seifried: "Re: Buffer overflow in awk"
Next in thread: Jeff Fields: "Re: Buffer overflow in awk"
Next in thread: nilton.gs.scat_private: "Re: Buffer overflow in awk"
Reply: Jeff Fields: "Re: Buffer overflow in awk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 17 2002 - 21:35:55 PST