bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Malicious translation file can cause buffer overflow


From: Trammell Hudson
Subject: Malicious translation file can cause buffer overflow
Date: Thu, 30 Apr 2015 22:08:03 +0000
User-agent: Mutt/1.5.21 (2010-09-15)

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' 
-DCONF_VENDOR='unknown' -DLOCALEDIR='/tmp/local/share/locale' -DPACKAGE='bash' 
-DSHELL -DHAVE_CONFIG_H   -I.  -I.. -I../include -I../lib   -g -O2
uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9 
03:28:16 GMT 2014 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu

Bash Version: 4.3
Patch Level: 30
Release Status: release


Description:
The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
in jobs.c are copied to a static allocated buffer.  A user could set the
LANGUAGE variable to point to a malicious translation file that has
translations that are longer than 64-bytes for these strings to create
a buffer overflow.

Since LANGUAGE is passed unchanged by sudo this might be usable for
privilege escalation.


Repeat-By:
Create a .po file with a bogus translation:

#: jobs.c:1464 jobs.c:1489
msgid "Done"
msgstr "Klaar 
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"

And start an interactive shell that puts a command into the background:

LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile  -norc
$ sleep 1 &
[1] 14464
$ sleep 2
[1]+ Klaar 
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
                                                                        sleep 1
$ 

In this case the fortify tool did not detect the buffer overflow,
but the variables after retcode_name_buffer were overwritten.


Fix:
Change jobs.c to use strncpy and snprintf:

      else if (WIFEXITED (p->status))
        {
          temp = retcode_name_buffer;
          es = WEXITSTATUS (p->status);
          if (es == 0)
            snprintf (temp, sizeof(retcode_name_buffer), _("Done"));
          else if (posixly_correct)
            snprintf (temp, sizeof(retcode_name_buffer), _("Done(%d)"), es);
          else
            snprintf (temp, sizeof(retcode_name_buffer), _("Exit %d"), es);
        }





reply via email to

[Prev in Thread] Current Thread [Next in Thread]