RE: Bash Blues.

Verified on Mandrake 8.1, Redhat 7.0 and Debian 3.0.

-----Original Message-----
From: uk2sec@oakey.no-ip.com [mailto:uk2sec@oakey.no-ip.com] Sent: Friday, 14 February 2003 12:27 AM
To: vuln-dev@securityfocus.com
Subject: Bash Blues.

[ Moderator: Post Edited Accordingly ]

uk2sec /bin/bash Advisory

By sending a perl request on the GNU bash terminal we can cause a Segmentation Fault.

Work done was based on:

	GNU bash, version 2.05a.0(1)-release (i686-pc-linux-gnu)
	(Redhat 7.3)

The basis for this advisory is theoretical - Although not a current security risk, a technique yet to be developed may allow exploitation.

Background:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

During some work, I noticed GNU bash could be crashed by sending a malformed perl request to the terminal.

	example:  	`perl -e 'print "*/*" x 3500'`
			

(exact amount is: `perl -e 'print "*/*" x 2338'`)

This crash overwrites the ecx register on X86 (linux RH 7.3) systems, and
r23 on HPUX (11.00).

	X86:  		ecx:	0x2f2f2f2f	791621423
	HPUX		r23: 	2f2f2f2f00001e6e

This overflow may allow us to execute arbitrary code with the uid of the

person who crashes the shell. Since bash is not suid, this isn't a big problem unless a special exploitation method can be created.

To reproduce the seg fault, you must enclose the perl request with ` ` .

`  perl -e.... etc..  `       CORRECT
   perl -e.... etc..          DOESN'T WORK

We have looked at ways to generate an exploit for this, however so far nothing 'obvious' has been found. We tried creating a deep directory structure which would be followed by something like a /tmp directory watcher, however we are unable to create a directory 3500 folders deep.

Perhaps something with sym-links could be used to do this, and the directory structure could contain our executable asm code.? Not tested,

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

just thoughts.

Furthermore we found several ways decrese the performance of a linux machine to almost a stand still, however that is not part of this advisory and can be disabled using resource limits on the server. For more information feel free to contact uk2sec@oakey.no-ip.com.

Thanks for your time,

uk2sec

c0wd0g.

c0w_d0g3@yahoo.co.uk
uk2sec@oakey.no-ip.com

Memebers:
c0w_d0g (c0w_d0g3|@|yahoo.co.uk), deadbeat (deadbeat|@|hush.com). Received on Fri Feb 14 11:44:16 2003