bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Malicious translation file can cause buffer overflow


From: Chet Ramey
Subject: Re: Malicious translation file can cause buffer overflow
Date: Thu, 30 Apr 2015 19:07:01 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

On 4/30/15 6:08 PM, Trammell Hudson wrote:

> Bash Version: 4.3
> Patch Level: 30
> Release Status: release
> 
> 
> Description:
> The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
> in jobs.c are copied to a static allocated buffer.  A user could set the
> LANGUAGE variable to point to a malicious translation file that has
> translations that are longer than 64-bytes for these strings to create
> a buffer overflow.
> 
> Since LANGUAGE is passed unchanged by sudo this might be usable for
> privilege escalation.
> 
> 
> Repeat-By:
> Create a .po file with a bogus translation:
> 
> #: jobs.c:1464 jobs.c:1489
> msgid "Done"
> msgstr "Klaar 
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
> 
> And start an interactive shell that puts a command into the background:
> 
> LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile  -norc
> $ sleep 1 &
> [1] 14464
> $ sleep 2
> [1]+ Klaar 
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
>                                                                         sleep 
> 1
> $ 
> 
> In this case the fortify tool did not detect the buffer overflow,
> but the variables after retcode_name_buffer were overwritten.
> 
> 
> Fix:
> Change jobs.c to use strncpy and snprintf:

Thanks for the report.


-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]