Date: Thu, 12 Jul 2012 16:04:00 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Overflow fix in bash 4.2 patch 33 On Wed, Jul 11, 2012 at 11:29:22AM -0600, Kurt Seifried wrote: > On 07/11/2012 10:15 AM, Marcus Meissner wrote: > > Hi, > > > > the bash maintainer kindly mailed us and other vendors a > > notification of a overflow in the bash "test" builtin when > > "/dev/fd/..." filenames are used. > > > > ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033 > > > > Reproducer: test -e /dev/fd/111111111111111111111111111111111 > > > > Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely > > also by -fstack-protector (not tested) > > > > Goes all the way back to old bashes. > > > > The likeliness of people able to inject those filenames into shell > > scripts and not being able to execute shellcode themselves is > > however slim. (setuid root shell scripts are not possible.) > > > > Security (CVE) relevant scenario we thought of is breaking out of > > a restricted shell mode. > > > > Ciao, Marcus > > Can you give a more concrete example, e.g. you're talking about > http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html > I assume? Are we simply talking about violating those restrictions? Yes. Breaking out of the restricted shell using this issue. $ bash -r bash: /dev/pts/9: Gesperrt: Die Ausgabe darf nicht umgeleitet werden. $ test -f /dev/fd/111111111111111111111111111111111111111111111111111111111111111 *** buffer overflow detected ***: bash terminated ... So basically without fortification measures you can inject a ASCII based shell-code to execute code you shouldn't. (One can argue that of how secure you evaluate restricted shells ...) Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ