Re: Potential vulnerabilities in BASH 4.3

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential vulnerabilities in BASH 4.3

From:	Mike Frysinger
Subject:	Re: Potential vulnerabilities in BASH 4.3
Date:	Mon, 11 Aug 2014 21:10:54 -0400
User-agent:	KMail/4.13.3 (Linux/3.14.2; KDE/4.13.3; x86_64; ; )

On Mon 11 Aug 2014 21:07:06 Hádrian R wrote:
> Hi, I'm Hádrien Romero Soria - @Kaiwaiata, I am a 16 year old boy,
> passionate about computer security, since more than 8h searching and
> finding various possible vulnerabilities in source code of bash..
> I will tell you one vulnerability now, if they treat me well I will tell
> the other..
> 
> foolish or important things?
> 
> unsafe use of *strcpy():*
> 
> bash-4.3.tar\bash-4.3\lib\sh\unicode.c:
> *line 87: *strcpy (charsetbuf, locale);
> 
> *#* if an attacker manages to take control of *charsetbuf[40];*, may cause
> a buffer overflow, which would be directed toward *.bss *it's not too
> dangerous but is a vulnerability.

depending on the build system, yes, you can trigger a buffer overflow here.
all you have to do is set LC_CTYPE to a long string.  like so:
$ bash -c "LC_CTYPE='$(printf %100sf)' printf '\U8f7f7f20'"
bash: warning: setlocale: LC_CTYPE: cannot change locale (                      
                                                                              
f): No such file or directory
*** buffer overflow detected ***: bash terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x759fb)[0x7f26630e59fb]
/lib64/libc.so.6(__fortify_fail+0x47)[0x7f266316fde7]
/lib64/libc.so.6(+0xfdcd0)[0x7f266316dcd0]
bash[0x47e3ec]
bash[0x46e1bd]
bash[0x46eec1]
bash[0x41c28e]
bash[0x41e454]
bash[0x41f526]
bash[0x461f24]
bash[0x4098c4]
bash[0x408786]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f2663090050]
bash[0x40947b]
======= Memory map: ========
00400000-004ae000 r-xp 00000000 08:32 1311338                            
/bin/bash
006ad000-006ae000 r--p 000ad000 08:32 1311338                            
/bin/bash
006ae000-006b2000 rw-p 000ae000 08:32 1311338                            
/bin/bash
006b2000-006bc000 rw-p 00000000 00:00 0 
01e34000-01e55000 rw-p 00000000 00:00 0                                  [heap]
7f2662a8d000-7f2662aa3000 r-xp 00000000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662aa3000-7f2662ca2000 ---p 00016000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662ca2000-7f2662ca3000 r--p 00015000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662ca3000-7f2662ca4000 rw-p 00016000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662ca4000-7f2663070000 r--p 00000000 08:32 6705881                    
/usr/lib64/locale/locale-archive
7f2663070000-7f2663215000 r-xp 00000000 08:32 4459482                    
/lib64/libc-2.19.so
7f2663215000-7f2663415000 ---p 001a5000 08:32 4459482                    
/lib64/libc-2.19.so
7f2663415000-7f2663419000 r--p 001a5000 08:32 4459482                    
/lib64/libc-2.19.so
7f2663419000-7f266341b000 rw-p 001a9000 08:32 4459482                    
/lib64/libc-2.19.so
7f266341b000-7f266341f000 rw-p 00000000 00:00 0 
7f266341f000-7f266346e000 r-xp 00000000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f266346e000-7f266366e000 ---p 0004f000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f266366e000-7f2663672000 r--p 0004f000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f2663672000-7f2663673000 rw-p 00053000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f2663673000-7f2663674000 rw-p 00000000 00:00 0 
7f2663674000-7f266367c000 r-xp 00000000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266367c000-7f266387c000 ---p 00008000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266387c000-7f266387d000 r--p 00008000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266387d000-7f266387e000 rw-p 00009000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266387e000-7f26638bf000 r-xp 00000000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f26638bf000-7f2663abf000 ---p 00041000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f2663abf000-7f2663ac1000 r--p 00041000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f2663ac1000-7f2663ac7000 rw-p 00043000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f2663ac7000-7f2663ac9000 rw-p 00000000 00:00 0 
7f2663ac9000-7f2663aeb000 r-xp 00000000 08:32 4459479                    
/lib64/ld-2.19.so
7f2663c72000-7f2663c76000 rw-p 00000000 00:00 0 
7f2663ce0000-7f2663ce2000 rw-p 00000000 00:00 0 
7f2663ce2000-7f2663ce9000 r--s 00000000 08:32 6705883                    
/usr/lib64/gconv/gconv-modules.cache
7f2663ce9000-7f2663cea000 rw-p 00000000 00:00 0 
7f2663cea000-7f2663ceb000 r--p 00021000 08:32 4459479                    
/lib64/ld-2.19.so
7f2663ceb000-7f2663cec000 rw-p 00022000 08:32 4459479                    
/lib64/ld-2.19.so
7f2663cec000-7f2663ced000 rw-p 00000000 00:00 0 
7fff04d0e000-7fff04d30000 rw-p 00000000 00:00 0                          [stack]
7fff04dff000-7fff04e00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
Aborted (core dumped)
-mike

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

Potential vulnerabilities in BASH 4.3, Hádrian R, 2014/08/11
- Re: Potential vulnerabilities in BASH 4.3, Mike Frysinger <=
- Re: Potential vulnerabilities in BASH 4.3, Chet Ramey, 2014/08/12
  - Re: Potential vulnerabilities in BASH 4.3, Chet Ramey, 2014/08/12

Prev by Date: Potential vulnerabilities in BASH 4.3
Next by Date: Re: Potential vulnerabilities in BASH 4.3
Previous by thread: Potential vulnerabilities in BASH 4.3
Next by thread: Re: Potential vulnerabilities in BASH 4.3
Index(es):
- Date
- Thread