[xplosive@dr4g0n]~$ echo 'BEGIN {system("id")}' | awk -f /dev/stdin uid=500(xplosive) gid=500(xplosive) groups=500(xplosive) ? On Sun, 17 Mar 2002, Pavel Kankovsky wrote: > Date: Sun, 17 Mar 2002 15:48:43 +0100 (MET) > From: Pavel Kankovsky <peakat_private> > To: Kurt Seifried <bugtraqat_private> > Cc: vuln-devat_private > Subject: Re: Buffer overflow in awk > > On Fri, 15 Mar 2002, Kurt Seifried wrote: > > > So you are willing to guarentee to us that this awk bug will never be > > exploitable by an attacker in any circumstance? Cool. Oh wait, that's > > totally bogus. > > No. I can guarantee that a person who can pass arbitrary values to awk's > -f option controls the account running such an instance of (GNU) awk > without having to resort to the buffer overflow being discussed. > > Just try those two commands: > > echo 'BEGIN {system("command of your choice")}' > /tmp/blah > awk -f blah > > Or this single command: > > echo 'BEGIN {system("command of your choice")}' | awk -f /dev/stdin > > Of course, the buffer overflow is a bug and it should be fixed. > But it is not a real security hole because -f's parameter is a trusted > input channel. > > --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] > "Resistance is futile. Open your source code and prepare for assimilation." > -- --------------------------------------------------- Jeff Fields <adminat_private> - 1 (877) 467-2748 ForSite Web Services, Inc. - http://www.forsite.com ---------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 14:26:31 PST