Verified on Mandrake 8.1, Redhat 7.0 and Debian 3.0. -----Original Message----- From: uk2secat_private-ip.com [mailto:uk2secat_private-ip.com] Sent: Friday, 14 February 2003 12:27 AM To: vuln-devat_private Subject: Bash Blues. [ Moderator: Post Edited Accordingly ] uk2sec /bin/bash Advisory By sending a perl request on the GNU bash terminal we can cause a Segmentation Fault. Work done was based on: GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu) (Redhat 7.3) The basis for this advisory is theoretical - Although not a current security risk, a technique yet to be developed may allow exploitation. Background: During some work, I noticed GNU bash could be crashed by sending a malformed perl request to the terminal. example: `perl -e 'print "*/*" x 3500'` <bash crashes> (exact amount is: `perl -e 'print "*/*" x 2338'`) This crash overwrites the ecx register on X86 (linux RH 7.3) systems, and r23 on HPUX (11.00). X86: ecx: 0x2f2f2f2f 791621423 HPUX r23: 2f2f2f2f00001e6e This overflow may allow us to execute arbitrary code with the uid of the person who crashes the shell. Since bash is not suid, this isn't a big problem unless a special exploitation method can be created. To reproduce the seg fault, you must enclose the perl request with ` ` . ` perl -e.... etc.. ` CORRECT perl -e.... etc.. DOESN'T WORK We have looked at ways to generate an exploit for this, however so far nothing 'obvious' has been found. We tried creating a deep directory structure which would be followed by something like a /tmp directory watcher, however we are unable to create a directory 3500 folders deep. Perhaps something with sym-links could be used to do this, and the directory structure could contain our executable asm code.? Not tested, just thoughts. Furthermore we found several ways decrese the performance of a linux machine to almost a stand still, however that is not part of this advisory and can be disabled using resource limits on the server. For more information feel free to contact uk2secat_private-ip.com. Thanks for your time, uk2sec c0wd0g. c0w_d0g3at_private uk2secat_private-ip.com Memebers: c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com).
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 08:40:51 PST