Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Jul 2012 16:04:00 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Overflow fix in bash 4.2 patch 33

On Wed, Jul 11, 2012 at 11:29:22AM -0600, Kurt Seifried wrote:
> On 07/11/2012 10:15 AM, Marcus Meissner wrote:
> > Hi,
> > 
> > the bash maintainer kindly mailed us and other vendors a
> > notification of a overflow in the bash "test" builtin when
> > "/dev/fd/..." filenames are used.
> > 
> > ftp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-033
> > 
> > Reproducer: test -e /dev/fd/111111111111111111111111111111111
> > 
> > Problem is caught by -D_FORTIFY_SOURCE=2 if enabled, and likely
> > also by -fstack-protector (not tested)
> > 
> > Goes all the way back to old bashes.
> > 
> > The likeliness of people able to inject those filenames into shell
> > scripts and not being able to execute shellcode themselves is
> > however slim. (setuid root shell scripts are not possible.)
> > 
> > Security (CVE) relevant scenario we thought of is breaking out of
> > a restricted shell mode.
> > 
> > Ciao, Marcus
> 
> Can you give a more concrete example, e.g. you're talking about
> http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html
> I assume? Are we simply talking about violating those restrictions?

Yes. Breaking out of the restricted shell using this issue.

$ bash -r
bash: /dev/pts/9: Gesperrt: Die Ausgabe darf nicht umgeleitet werden.
$ test -f /dev/fd/111111111111111111111111111111111111111111111111111111111111111
*** buffer overflow detected ***: bash terminated
...

So basically without fortification measures you can inject a ASCII based
shell-code to execute code you shouldn't.

(One can argue that of how secure you evaluate restricted shells ...)

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ