[xplosive@dr4g0n]~$ echo 'BEGIN {system("id")}' | awk -f /dev/stdin
uid=500(xplosive) gid=500(xplosive) groups=500(xplosive)
?
On Sun, 17 Mar 2002, Pavel Kankovsky wrote:
> Date: Sun, 17 Mar 2002 15:48:43 +0100 (MET)
> From: Pavel Kankovsky <peakat_private>
> To: Kurt Seifried <bugtraqat_private>
> Cc: vuln-devat_private
> Subject: Re: Buffer overflow in awk
>
> On Fri, 15 Mar 2002, Kurt Seifried wrote:
>
> > So you are willing to guarentee to us that this awk bug will never be
> > exploitable by an attacker in any circumstance? Cool. Oh wait, that's
> > totally bogus.
>
> No. I can guarantee that a person who can pass arbitrary values to awk's
> -f option controls the account running such an instance of (GNU) awk
> without having to resort to the buffer overflow being discussed.
>
> Just try those two commands:
>
> echo 'BEGIN {system("command of your choice")}' > /tmp/blah
> awk -f blah
>
> Or this single command:
>
> echo 'BEGIN {system("command of your choice")}' | awk -f /dev/stdin
>
> Of course, the buffer overflow is a bug and it should be fixed.
> But it is not a real security hole because -f's parameter is a trusted
> input channel.
>
> --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
> "Resistance is futile. Open your source code and prepare for assimilation."
>
--
---------------------------------------------------
Jeff Fields <adminat_private> - 1 (877) 467-2748
ForSite Web Services, Inc. - http://www.forsite.com
---------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 14:26:31 PST