[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Integer Overflow in braces

From: Eric Blake
Subject: Re: Integer Overflow in braces
Date: Mon, 17 Aug 2015 16:15:50 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

On 08/17/2015 09:58 AM, Pasha K wrote:
> Hey Greg,
> I wasn't particularly trying to actually generate that large amount of
> strings in memory, I wa purposely trying to overflow the integer variable
> "nelem"hoping to get Code Execution. This could potentially be a security
> risk as shell shock was just more of a denial of service rather than
> straight up code execution. However, just because I wasn't able to gain
> control of the registers doesn't mean someone else with more skill can't.

This is not a security risk.

Shell shock was a security hole because the shell could be coerced into
executing user-supplied code WITHOUT a way for a script to intervene.

Any poorly-written shell script can do stupid things, including crashing
bash because it overflows the heap by trying to allocate memory for such
a stupidly large expansion.  But unless the problem can be triggered
without a script (the way shell shock executed user code before even
starting to parse a script), then you can't exploit the problem to gain
any more access to the system than you already have by being able to run
a script in the first place.

Fix your script to not do stupid things, like trying an insanely-large
brace expansion, or trying an 'eval' (or similar) on untrusted user
input. But don't call it a bash security hole that bash allows you to
write stupid scripts.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]