Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: bash overflows
From: Jason Slagle <raistlin () tacorp net>
Date: Fri, 8 Jun 2001 11:06:09 -0400 (EDT)
On Tue, 5 Jun 2001, KF wrote:


I have seen at least one post for linux bash overflows but not much
follow up for other OS's.
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26tid%3D13697%26end%3D2001-06-09%26threads%3D0%26start%3D2001-06-03%26
This seems to affect bash and csh and tcsh on SCO and SunOS both.

[6:55pm] () [medusa]#uname -a
SunOS medusa 5.7 Generic_106541-12 sun4m sparc SUNW,SPARCstation-5
[6:55pm] () [medusa]#gdb bash
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.7"...
(gdb) run
Starting program: /usr/local/bin/bash
cannot stat /var/adm/utmpx.  Please "unset watch".
bash-2.03$ export TERM=`perl  -e 'print "A" x 7000'`

Program received signal SIGSEGV, Segmentation fault.
0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1
(gdb) bt
#0  0xef5b6cb8 in strcpy () from /usr/lib/libc.so.1
#1  0xef7572d4 in setupterm () from /usr/lib/libcurses.so.1
#2  0xef758cd4 in tgetent () from /usr/lib/libcurses.so.1
Cannot access memory at address 0x41414179.
(gdb)


Actually, this looks like an ncurses overflow.

export TERM=`perl -e 'print "A" x 7000'`
export EDITOR=pico
chsh

Pico dumps core

Is it suid root when it does so?  If so it may be exploitable.

Jason

-- 
Jason Slagle - CCNP - CCDP
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlin () tacorp net - jslagle () toledolink com - WHOIS JS10172
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ /   ASCII Ribbon Campaign  . If dreams are like movies then memories
 X  - NO HTML/RTF in e-mail  .   are films about ghosts..
/ \ - NO Word docs in e-mail .     - Adam Duritz - Counting Crows

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]