Re: Bash Blues.

From: Kurt Seifried (kurt@seifried.org)
Date: 02/14/03

Next message: Dack: "Re: Bash Blues."

Previous message: Adam Gilmore: "RE: Bash Blues."
In reply to: Andrew Walkingshaw: "Re: Bash Blues."
Next in thread: Dack: "Re: Bash Blues."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Kurt Seifried" <kurt@seifried.org>
To: "Andrew Walkingshaw" <andrew-bugtraq@lexical.org.uk>, <vuln-dev@securityfocus.com>
Date: Thu, 13 Feb 2003 21:31:46 -0800

> uk2sec /bin/bash Advisory
>
> By sending a perl request on the GNU bash terminal we can cause a
> Segmentation Fault.
>
> Work done was based on:
> GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
> (Redhat 7.3)
>

Interesting. Logged in via ssh to a red hat 7.3 and an 8.0 system (both are
completely up to date) doing that command immediately logs me out (bash
falls down badly). Other then that the system is fine, no weird load/etc.
For a quick moment bash spikes, but 2.5% cpu usage on a 600 mhz cyrix
processor is not exactly scary ditto for memory, 1.2% out of 248 megs (256 -
8 for the built in video) is not worrying. No resource limits are placed on
bash via ulimit or the session via pam limits so it's not booting me out
because of that.

CPU states: 2.5% user, 2.3% system, 0.0% nice, 95.0% idle
Mem: 247516K av, 239088K used, 8428K free, 0K shrd, 61180K
buff
Swap: 262072K av, 14456K used, 247616K free 109576K
cached
  PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
  370 seifried 16 0 3112 3112 1096 R 2.5 1.2 0:00 bash
  769 postfix 15 0 1256 1104 1000 S 0.7 0.4 13:52 qmgr
  366 seifried 15 0 1064 1064 820 R 0.7 0.4 0:00 top
  606 root 15 0 1356 1272 1188 S 0.1 0.5 0:47 sshd

On Solaris with bash from sunfreeware (I think):

$ /usr/local/bin/bash
bash-2.05$ /usr/local/bin/bash --version
GNU bash, version 2.05.0(1)-release (sparc-sun-solaris2.8)
Copyright 2000 Free Software Foundation, Inc.
bash-2.05$ uname -a
SunOS sparkplug 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-1
bash-2.05$ `perl -e 'print "*/*" x 2338'`
Segmentation Fault - core dumped

takes a few seconds but then it seg faults. Who knows, maybe it is
exploitable.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

Next message: Dack: "Re: Bash Blues."
Previous message: Adam Gilmore: "RE: Bash Blues."
In reply to: Andrew Walkingshaw: "Re: Bash Blues."
Next in thread: Dack: "Re: Bash Blues."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How to redirect "Segmentation fault (core dumped)" to err.txt?
... > bash 2.05b-16 ... > Segmentation fault ... It is printed by the shell, ... Måns Rullgård ...
(comp.unix.programmer)
How to redirect "Segmentation fault (core dumped)" to err.txt?
... bash 2.05b-16 ... Why didn't "Segmentation fault " redirect to err.txt? ... alex DOT vinokur AT gmail DOT com ...
(comp.unix.programmer)
Re: Finding the callstack programmatically
... bash$ a.out ... Segmentation fault ... > work on GNU gcc glibc type platforms such as Linux. ...
(comp.unix.programmer)
[Full-Disclosure] Fw: Bash Blues.
... Subject: Bash Blues. ... > that works for my bash (GNU bash, ... >> This overflow may allow us to execute arbitrary code with the uid of the ... We tried creating a deep directory ...
(Full-Disclosure)
Re: Put html-tags on..
... GNU bash, version 2.05b.0-release ... and zsh ) as well ... This is clearly an editing job, ...
(comp.unix.shell)