bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Max Enviroment Variable Limit causes DoS"


From: Bully Cillóniz
Subject: "Max Enviroment Variable Limit causes DoS"
Date: Sat, 22 Mar 2003 21:55:00 +0000

Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: linux
Compiler: gcc -I/usr/src/packages/BUILD/bash-2.05
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i386'
-DCONF_OSTYPE='linux' -DCONF_MACHTYPE='i386-suse-linux' -DCONF_VENDOR='suse'
-DSHELL -DHAVE_CONFIG_H  -D_FILE_OFFSET_BITS=64  -I. -I/usr/include -I.
-I./include -I./lib -I/usr/include -O2 -march=i486 -mcpu=i686 -D_GNU_SOURCE
-Wall -pipe
uname output: Linux coi 2.4.18-4GB #1 Wed Mar 27 13:57:05 UTC 2002 i686
unknown
Machine Type: i386-suse-linux

Bash Version: 2.05
Patch Level: 0
Release Status: release

Description:
By using the perl interpretor with the "-e" argument, its posible to make an
enviroment variable
of very high bytes to cause the shell to react in a bad way.

     example:
     BASH:~> export BUF=$(perl -e 'printf "A" x"1000000"')  #Currently 1
million chars
     BASH~> ls -la
     bash: /bin/ls: Argument list too long
     BASH:~> telnet
     bash: /usr/bin/telnet: Argument list too long
     BASH:~> wget
     bash: /usr/bin/wget: Argument list too long


Repeat-By:
 Internal commands are inmune to this problem, but the porblem arrises when
external commands are
placed into act. The problem occures due to that enviroment variables get
passed to the calling program.
As the stderr describes the arguments supplied exceed the limit causing it not
to execute accordinly.
Fortunatly, this current problem doesnt cause any buffer overflow, which
could've had  the attacker execute
what ever is of his likeing. Instead it denies service to the user.


Fix:
A recomended fix is to have a limit on how big an enviroment variable should
be. I have tested
with a variable of 10,000 chars and seems to work fine, any other variable of
bigger length than
the one just mentioned, isn't necesary. Also the problem seems to disapeer
when the user ovewrites
the variable to a smaller length (export BUF=1), a better way is just to use
the unset command to neutralize
the variable (unset BUF).

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail





reply via email to

[Prev in Thread] Current Thread [Next in Thread]