Bash Blues.

From: uk2sec@oakey.no-ip.com
Date: 02/13/03

Next message: Eyal Udassin: "New freeware tools available from WebCohort"

Previous message: Paul Brereton: "Strange IE / Windows Behaviour"
Next in thread: Andrew Walkingshaw: "Re: Bash Blues."
Reply: Andrew Walkingshaw: "Re: Bash Blues."
Reply: Roland Postle: "Re: Bash Blues."
Reply: TerraTrans Security: "Re: Bash Blues."
Reply: Adam Gilmore: "RE: Bash Blues."
Reply: Peter Pentchev: "Re: Bash Blues."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 13 Feb 2003 14:26:51 +0000 (GMT)
From: uk2sec@oakey.no-ip.com
To: vuln-dev@securityfocus.com

[ Moderator: Post Edited Accordingly ]

uk2sec /bin/bash Advisory

By sending a perl request on the GNU bash terminal we can cause a
Segmentation Fault.

Work done was based on:
GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
(Redhat 7.3)

The basis for this advisory is theoretical - Although not a current
security risk, a technique yet to be developed may allow exploitation.

Background:

During some work, I noticed GNU bash could be crashed by sending a
malformed perl request to the terminal.

example: `perl -e 'print "*/*" x 3500'`
<bash crashes>

(exact amount is: `perl -e 'print "*/*" x 2338'`)

This crash overwrites the ecx register on X86 (linux RH 7.3) systems, and
r23 on HPUX (11.00).

X86: ecx: 0x2f2f2f2f 791621423
HPUX r23: 2f2f2f2f00001e6e

This overflow may allow us to execute arbitrary code with the uid of the
person who crashes the shell. Since bash is not suid, this isn't a big
problem unless a special exploitation method can be created.

To reproduce the seg fault, you must enclose the perl request with ` ` .

` perl -e.... etc.. ` CORRECT
perl -e.... etc.. DOESN'T WORK

We have looked at ways to generate an exploit for this, however so far
nothing 'obvious' has been found. We tried creating a deep directory
structure which would be followed by something like a /tmp directory
watcher, however we are unable to create a directory 3500 folders deep.
Perhaps something with sym-links could be used to do this, and the
directory structure could contain our executable asm code.? Not tested,
just thoughts.

Furthermore we found several ways decrese the performance of a linux
machine to almost a stand still, however that is not part of this
advisory and can be disabled using resource limits on the server. For
more information feel free to contact uk2sec@oakey.no-ip.com.

Thanks for your time,

uk2sec

c0wd0g.

c0w_d0g3@yahoo.co.uk
uk2sec@oakey.no-ip.com

Memebers:
c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com).

Next message: Eyal Udassin: "New freeware tools available from WebCohort"
Previous message: Paul Brereton: "Strange IE / Windows Behaviour"
Next in thread: Andrew Walkingshaw: "Re: Bash Blues."
Reply: Andrew Walkingshaw: "Re: Bash Blues."
Reply: Roland Postle: "Re: Bash Blues."
Reply: TerraTrans Security: "Re: Bash Blues."
Reply: Adam Gilmore: "RE: Bash Blues."
Reply: Peter Pentchev: "Re: Bash Blues."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Bash Blues.
... Subject: Bash Blues. ... uk2sec /bin/bash Advisory ... The basis for this advisory is theoretical - Although not a current ... malformed perl request to the terminal. ...
(Vuln-Dev)
Re: Bash Blues.
... > uk2sec /bin/bash Advisory ... > By sending a perl request on the GNU bash terminal we can cause a ... > Segmentation Fault. ... GNU bash, version 2.05b.0-release ...
(Vuln-Dev)
Re: Bash Blues.
... I noticed GNU bash could be crashed by sending a ... > malformed perl request to the terminal. ... change log, unless this is part of the internal mallocoverhaul. ... .siht ekil ti gnidaer eb d'uoy,werbeH ni erew ecnetnes siht fI ...
(Vuln-Dev)