Re: Malicious translation file can cause buffer overflow

[Mike Frysinger]

On 01 May 2015 01:13, Pádraig Brady wrote:
> On 30/04/15 23:08, Trammell Hudson wrote:
> > Description:
> > The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
> > in jobs.c are copied to a static allocated buffer.  A user could set the
> > LANGUAGE variable to point to a malicious translation file that has
> > translations that are longer than 64-bytes for these strings to create
> > a buffer overflow.
> > 
> > Since LANGUAGE is passed unchanged by sudo this might be usable for
> > privilege escalation.
> > 
> > 
> > Repeat-By:
> > Create a .po file with a bogus translation:
> > 
> > #: jobs.c:1464 jobs.c:1489
> > msgid "Done"
> > msgstr "Klaar 
> > 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
> > 
> > And start an interactive shell that puts a command into the background:
> > 
> > LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile  -norc
> > $ sleep 1 &
> > [1] 14464
> > $ sleep 2
> > [1]+ Klaar 
> > 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
> >                                                                         
> > sleep 1
> 
> How does one override the system translation?
> I thought gettext only looks in the dir passed to bindtextdomain() ?

but it uses $LANGUAGE in there
$ LANGUAGE=/../../../../../foo/ strace -e file bash --noprofile -norc -c 'echo 
$"hi"' |& grep foo
open("/usr/share/locale///../../../../../foo//LC_MESSAGES/im-config.mo", 
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale///.foo/LC_MESSAGES/im-config.mo", O_RDONLY) = -1 ENOENT 
(No such file or directory)
open("/usr/share/locale-langpack//../../../../../foo//LC_MESSAGES/im-config.mo",
 O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack//.foo/LC_MESSAGES/im-config.mo", O_RDONLY) = 
-1 ENOENT (No such file or directory)
-mike

signature.asc
Description: Digital signature