[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
"Max Enviroment Variable Limit causes DoS"
From: |
Bully Cillóniz |
Subject: |
"Max Enviroment Variable Limit causes DoS" |
Date: |
Sat, 22 Mar 2003 21:55:00 +0000 |
Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: linux
Compiler: gcc -I/usr/src/packages/BUILD/bash-2.05
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i386'
-DCONF_OSTYPE='linux' -DCONF_MACHTYPE='i386-suse-linux' -DCONF_VENDOR='suse'
-DSHELL -DHAVE_CONFIG_H -D_FILE_OFFSET_BITS=64 -I. -I/usr/include -I.
-I./include -I./lib -I/usr/include -O2 -march=i486 -mcpu=i686 -D_GNU_SOURCE
-Wall -pipe
uname output: Linux coi 2.4.18-4GB #1 Wed Mar 27 13:57:05 UTC 2002 i686
unknown
Machine Type: i386-suse-linux
Bash Version: 2.05
Patch Level: 0
Release Status: release
Description:
By using the perl interpretor with the "-e" argument, its posible to make
an
enviroment variable
of very high bytes to cause the shell to react in a bad way.
example:
BASH:~> export BUF=$(perl -e 'printf "A" x"1000000"') #Currently 1
million chars
BASH~> ls -la
bash: /bin/ls: Argument list too long
BASH:~> telnet
bash: /usr/bin/telnet: Argument list too long
BASH:~> wget
bash: /usr/bin/wget: Argument list too long
Repeat-By:
Internal commands are inmune to this problem, but the porblem arrises when
external commands are
placed into act. The problem occures due to that enviroment variables get
passed to the calling program.
As the stderr describes the arguments supplied exceed the limit causing it
not
to execute accordinly.
Fortunatly, this current problem doesnt cause any buffer overflow, which
could've had the attacker execute
what ever is of his likeing. Instead it denies service to the user.
Fix:
A recomended fix is to have a limit on how big an enviroment variable
should
be. I have tested
with a variable of 10,000 chars and seems to work fine, any other variable
of
bigger length than
the one just mentioned, isn't necesary. Also the problem seems to disapeer
when the user ovewrites
the variable to a smaller length (export BUF=1), a better way is just to use
the unset command to neutralize
the variable (unset BUF).
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
- "Max Enviroment Variable Limit causes DoS",
Bully Cillóniz <=