Re: Buffer overflow in awk

From: wu2ftpd-ovich (wu2ftpd@pasilai.punks.lt)
Date: 03/15/02 

Date: Fri, 15 Mar 2002 22:56:02 +0200
From: wu2ftpd-ovich <wu2ftpd@pasilai.punks.lt>
To: vuln-dev@securityfocus.com

Hello,
i tested this one on my slackware 8 with
awk 3.0.6 and it needed 8177 chars to abort with fatal error,
and i tested awk 3.1.0 on the same system and it needed 8196 chars to abort with fatal error ...

                                wu2ftpd

On Fri, Mar 15, 2002 at 03:41:15AM -0000, keoki wrote:
>
>
> A buffer overflow exist in awk(named awk on most
> systems, but actualy is gawk/GNU awk) when calling
> the -f option, to include an awk script, and supplying a
> filename with a buffer length of 1022 and up.
>
>
> [root@neural keoki]# awk -f `perl -e 'print "A" x 1022'`
> awk: fatal error: internal error
> Abort (core dumped)
> [root@neural keoki]# awk -f `perl -e 'print "A" x 2048'`
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAA: fatal error: internal error
> Abort (core dumped)
> [root@neural keoki]#
>
> The bug exist in io.c in function do_pathopen
>
> /* do_pathopen --- search $AWKPATH for source file
> */
>
> static int
> do_pathopen(file)
> const char *file;
> {
> static const char *savepath = NULL;
> static int first = TRUE;
> const char *awkpath;
> char *cp, trypath[BUFSIZ];
> int fd;
>
> if (STREQ(file, "-"))
> return (0);
>
> if (do_traditional)
> return (devopen(file, "r"));
>
> if (first) {
> first = FALSE;
> if ((awkpath = getenv("AWKPATH")) !=
> NULL && *awkpath)
> savepath = awkpath; /* used for
> restarting */
> else
> savepath = defpath;
> }
> awkpath = savepath;
>
> /* some kind of path name, no search */
> if (ispath(file))
> return (devopen(file, "r"));
>
> do {
> trypath[0] = '\0';
>
>
> /* this should take into account limits on size of
> trypath */
> for (cp = trypath; *awkpath && *awkpath !=
> envsep; )
> *cp++ = *awkpath++;
>
> if (cp != trypath) { /* nun-null element in
> path */
> /* add directory punctuation only if
> needed */
> if (! isdirpunct(*(cp-1)))
> *cp++ = '/';
> /* append filename */
> strcpy(cp, file);
> } else
> strcpy(trypath, file);
> if ((fd = devopen(trypath, "r")) >
> INVALID_HANDLE)
> return (fd);
>
> /* no luck, keep going */
> if(*awkpath == envsep && awkpath[1] !
> = '\0')
> awkpath++; /* skip colon */
> } while (*awkpath != '\0');
> /*
> * You might have one of the awk paths defined,
> WITHOUT the current
> * working directory in it. Therefore try to open
> the file in the
> * current directory.
> */
> return (devopen(file, "r"));
>
> }
>
>
> It can also be crashed with an env variable as follows
>
> [root@neural keoki]# env AWKPATH=`perl -
> e 'print "A" x 2048'` awk -f xx
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAA/e/keoki: fatal error: internal error
> Abort (core dumped)
> [root@neural keoki]#
>
>
>
> This was tested on FreeBSD platform(fbsd 4.0 &&
> 4.4) against awk(which is actually gnu awk) versions
> 3.0.6 && 3.0.4
>
> [root@neural keoki]# awk -W version | sed -n '1p'
> GNU Awk 3.0.6
> [root@neural keoki]#
>
> [root@keoki][~]# awk -W version | sed -n '1p'
> GNU Awk 3.0.4
> [root@keoki][~]#
>
>
> This was also tested on caldera and mandrake, and
> worked, but using a significantly higher buffer length.
>
>
> Shouts: aho, weinberger, kernighan and #ch0wn
>
>
> -- keoki
> -- keoki@techie.com
> -- http://sleek.cyberarmy.com

Relevant Pages

  • Buffer overflow in awk
    ... A buffer overflow exist in awk(named awk on most ... AAAAAAAAAAAAAAAAAA: fatal error: internal error ... const char *awkpath; ...
    (Vuln-Dev)
  • Re: GAWK fatal error if input file is a directory
    ... why treat trying to open a directory as a fatal error? ... I will note that of five awks tested, only the MKS awk silently ignores ... All others (nawk, mawk, gawk, busybox ... uncatchable error if it cannot open an input file. ...
    (comp.lang.awk)
  • RE: Buffer overflow in awk
    ... |A buffer overflow exist in awk(named awk on most ... |AAAAAAAAAAAAAAAAAA: fatal error: internal error ...
    (Vuln-Dev)
  • Re: Buffer overflow in awk
    ... GNU Awk 3.0.4 ... >GNU Awk 3.0.6 ... >>awk: fatal error: internal error ...
    (Vuln-Dev)
  • Re: Buffer overflow in awk
    ... source line number 1 source file ... but actualy is gawk/GNU awk) when calling ... >AAAAAAAAAAAAAAAAAA: fatal error: internal error ... >[root@neural keoki]# ...
    (Vuln-Dev)
Quantcast