Bash Blues.

[ Moderator: Post Edited Accordingly ]

uk2sec /bin/bash Advisory

By sending a perl request on the GNU bash terminal we can cause a Segmentation Fault.

Work done was based on:

	GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
	(Redhat 7.3)

The basis for this advisory is theoretical - Although not a current security risk, a technique yet to be developed may allow exploitation.

Background:

During some work, I noticed GNU bash could be crashed by sending a malformed perl request to the terminal.

	example:  	`perl -e 'print "*/*" x 3500'`
			

(exact amount is: `perl -e 'print "*/*" x 2338'`)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This crash overwrites the ecx register on X86 (linux RH 7.3) systems, and r23 on HPUX (11.00).

	X86:  		ecx:	0x2f2f2f2f	791621423
	HPUX		r23: 	2f2f2f2f00001e6e

This overflow may allow us to execute arbitrary code with the uid of the person who crashes the shell. Since bash is not suid, this isn't a big problem unless a special exploitation method can be created.

To reproduce the seg fault, you must enclose the perl request with ` ` .

`  perl -e.... etc..  `       CORRECT
   perl -e.... etc..          DOESN'T WORK

We have looked at ways to generate an exploit for this, however so far nothing 'obvious' has been found. We tried creating a deep directory structure which would be followed by something like a /tmp directory watcher, however we are unable to create a directory 3500 folders deep. Perhaps something with sym-links could be used to do this, and the directory structure could contain our executable asm code.? Not tested, just thoughts.

Furthermore we found several ways decrese the performance of a linux machine to almost a stand still, however that is not part of this advisory and can be disabled using resource limits on the server. For more information feel free to contact uk2sec@oakey.no-ip.com.

Thanks for your time,

uk2sec

c0wd0g.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

c0w_d0g3@yahoo.co.uk
uk2sec@oakey.no-ip.com

Memebers:
c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com). Received on Thu Feb 13 12:01:22 2003