Vulnerability Development mailing list archives

Re: possible su local D.o.S

From: Frank de Lange <secf-frank () unternet org>
Date: Thu, 13 Dec 2001 23:35:02 +0100

This is what I got with:

bash --version
        GNU bash, version 2.05.9(1)-release (i686-redhat-linux-gnu)
        Copyright 2000 Free Software Foundation, Inc.

su --version
        su (GNU sh-utils) 2.0
        Written by David MacKenzie.

        [frank@behemoth frank]$ time su `perl -e 'print "A" x 100000000'`
        bash: /bin/su: Argument list too long

        real    1m20.578s
        user    0m52.170s
        sys     0m17.470s

The bash process had grown to 415 MB, and stays about the same size:

        [frank@behemoth frank]$ ps u 2085
        USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
        frank     2085  5.5 55.0 526884 425400 pts/5 S    22:28   2:35 bash

So, this is not a su issue. I get the same results with e.g. /usr/bin/yes:

        [frank@behemoth frank]$ time yes `perl -e 'print "A" x 100000000'`
        bash: /usr/bin/yes: Argument list too long

        real    1m3.431s
        user    0m51.760s
        sys     0m12.170s

It doesn't really matter which program you try to start this way, as the
program never gets a chance to run:

        [frank@behemoth frank]$ time ls `perl -e 'print "A" x 100000000'`
        bash: /bin/ls: Argument list too long

        real    1m3.835s
        user    0m51.820s
        sys     0m14.700s

Other shells react more or less the same:


tcsh 6.08.00: reacts almost immediately with Word too long for ls

        >  time ls `perl -e 'print "A" x 100000000'`
        Word too long.
        0.010u 0.000s 0:01.51 0.6%      0+0k 0+0io 0pf+0w

zsh 3.0.5: takes a long time, grows to 520 MB, but then comes back with
        argument list too long for ls

        behemoth% time ls `perl -e 'print "A" x 100000000'`
        zsh: argument list too long: ls
        ls   196.96s user 5.61s system 98% cpu 3:25.83 total

ash 0.2: interesting, gives argument list too long for time, not ls

        $ time ls `perl -e 'print "A" x 100000000'`
        time: argument list too long

pdksh 5.2.14: same idea...

        [\u@\h \W]$ time ls `perl -e 'print "A" x 100000000'`
        ksh: ls: Argument list too long
           16.96s real    12.31s user     2.70s system

This all on a 2x466 Celeron with 768 MB and 500 MB swap

Cheers//Frank
-- 
  WWWWW      _______________________
 ## o o\    /     Frank de Lange     \
 }#   \|   /                          \
  ##---# _/     <Hacker for Hire>      \
   ####   \      +31-320-252965        /
           \ secf-frank () unternet org  /
            -------------------------
 [ "Omnis enim res, quae dando non deficit, dum habetur
    et non datur, nondum habetur, quomodo habenda est."  ]

Current thread:

possible su local D.o.S H VC (Dec 13)
- Re: possible su local D.o.S Flavio Veloso (Dec 13)
- Re: possible su local D.o.S Michal Zalewski (Dec 13)
- Re: possible su local D.o.S Jose Nazario (Dec 13)
- Re: possible su local D.o.S Blue Boar (Dec 13)
- Re: possible su local D.o.S Robert Freeman (Dec 13)
- Re: possible su local D.o.S Emre Yildirim (Dec 13)
  - Re: possible su local D.o.S White Vampire (Dec 13)
  - Re: possible su local D.o.S Ron DuFresne (Dec 13)
- <Possible follow-ups>
- Re: possible su local D.o.S Frank de Lange (Dec 13)