> uk2sec /bin/bash Advisory > > By sending a perl request on the GNU bash terminal we can cause a > Segmentation Fault. > > Work done was based on: > GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu) > (Redhat 7.3) > Interesting. Logged in via ssh to a red hat 7.3 and an 8.0 system (both are completely up to date) doing that command immediately logs me out (bash falls down badly). Other then that the system is fine, no weird load/etc. For a quick moment bash spikes, but 2.5% cpu usage on a 600 mhz cyrix processor is not exactly scary ditto for memory, 1.2% out of 248 megs (256 - 8 for the built in video) is not worrying. No resource limits are placed on bash via ulimit or the session via pam limits so it's not booting me out because of that. CPU states: 2.5% user, 2.3% system, 0.0% nice, 95.0% idle Mem: 247516K av, 239088K used, 8428K free, 0K shrd, 61180K buff Swap: 262072K av, 14456K used, 247616K free 109576K cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 370 seifried 16 0 3112 3112 1096 R 2.5 1.2 0:00 bash 769 postfix 15 0 1256 1104 1000 S 0.7 0.4 13:52 qmgr 366 seifried 15 0 1064 1064 820 R 0.7 0.4 0:00 top 606 root 15 0 1356 1272 1188 S 0.1 0.5 0:47 sshd On Solaris with bash from sunfreeware (I think): $ /usr/local/bin/bash bash-2.05$ /usr/local/bin/bash --version GNU bash, version 2.05.0(1)-release (sparc-sun-solaris2.8) Copyright 2000 Free Software Foundation, Inc. bash-2.05$ uname -a SunOS sparkplug 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-1 bash-2.05$ `perl -e 'print "*/*" x 2338'` Segmentation Fault - core dumped takes a few seconds but then it seg faults. Who knows, maybe it is exploitable. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 08:41:46 PST