RE: Bash Blues.

From: Adam Gilmore (vuln@optusnet.com.au)
Date: 02/13/03

  • Next message: Kurt Seifried: "Re: Bash Blues." 
    From: "Adam Gilmore" <vuln@optusnet.com.au>
To: <vuln-dev@securityfocus.com>
Date: Fri, 14 Feb 2003 07:44:47 +1000

    Verified on Mandrake 8.1, Redhat 7.0 and Debian 3.0.

    -----Original Message-----
    From: uk2sec@oakey.no-ip.com [mailto:uk2sec@oakey.no-ip.com]
    Sent: Friday, 14 February 2003 12:27 AM
    To: vuln-dev@securityfocus.com
    Subject: Bash Blues.

    [ Moderator: Post Edited Accordingly ]

    uk2sec /bin/bash Advisory

    By sending a perl request on the GNU bash terminal we can cause a
    Segmentation Fault.

    Work done was based on:
            GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
            (Redhat 7.3)

    The basis for this advisory is theoretical - Although not a current
    security risk, a technique yet to be developed may allow exploitation.

    Background:

    During some work, I noticed GNU bash could be crashed by sending a
    malformed perl request to the terminal.

            example: `perl -e 'print "*/*" x 3500'`
                            <bash crashes>

    (exact amount is: `perl -e 'print "*/*" x 2338'`)

    This crash overwrites the ecx register on X86 (linux RH 7.3) systems,
    and
    r23 on HPUX (11.00).

            X86: ecx: 0x2f2f2f2f 791621423
            HPUX r23: 2f2f2f2f00001e6e

    This overflow may allow us to execute arbitrary code with the uid of the

    person who crashes the shell. Since bash is not suid, this isn't a big
    problem unless a special exploitation method can be created.

    To reproduce the seg fault, you must enclose the perl request with ` ` .

    ` perl -e.... etc.. ` CORRECT
       perl -e.... etc.. DOESN'T WORK

    We have looked at ways to generate an exploit for this, however so far
    nothing 'obvious' has been found. We tried creating a deep directory
    structure which would be followed by something like a /tmp directory
    watcher, however we are unable to create a directory 3500 folders deep.

    Perhaps something with sym-links could be used to do this, and the
    directory structure could contain our executable asm code.? Not tested,

    just thoughts.

    Furthermore we found several ways decrese the performance of a linux
    machine to almost a stand still, however that is not part of this
    advisory and can be disabled using resource limits on the server. For
    more information feel free to contact uk2sec@oakey.no-ip.com.

    Thanks for your time,

    uk2sec

    c0wd0g.

    c0w_d0g3@yahoo.co.uk
    uk2sec@oakey.no-ip.com

    Memebers:
    c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com).