Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #11361
| Path | csiph.com!au2pb.net!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!news.ripco.com!news.glorb.com!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Eric Blake <eblake@redhat.com> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: Integer Overflow in braces |
| Date | Mon, 17 Aug 2015 16:15:50 -0700 |
| Organization | Red Hat, Inc. |
| Lines | 63 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.8509.1439896680.904.bug-bash@gnu.org> (permalink) |
| References | <CABq52TYThGj9OtBn3xTti5scmA=WdnS7ULw3G6GMayPK6WR0+w@mail.gmail.com> <20150817122026.GT4309@eeg.ccf.org> <CABq52TbKZCK8ci5ra_N4pfVB3jXGCdf-ZCG=k35c+_fVehfzFg@mail.gmail.com> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fHtDNDQ4LVFJw6vSVtf1Wd979NtULHUpN" |
| X-Trace | usenet.stanford.edu 1439896681 6183 208.118.235.17 (18 Aug 2015 11:18:01 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | "bug-bash@gnu.org" <bug-bash@gnu.org> |
| To | Pasha K <pashakravtsov@gmail.com>, Greg Wooledge <wooledg@eeg.ccf.org> |
| Envelope-to | bug-bash@gnu.org |
| Openpgp | url=http://people.redhat.com/eblake/eblake.gpg |
| X-Enigmail-Draft-Status | N1110 |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 |
| In-Reply-To | <CABq52TbKZCK8ci5ra_N4pfVB3jXGCdf-ZCG=k35c+_fVehfzFg@mail.gmail.com> |
| X-Scanned-By | MIMEDefang 2.68 on 10.5.11.26 |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 3.x |
| X-Received-From | 209.132.183.28 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.14 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:11361 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
On 08/17/2015 09:58 AM, Pasha K wrote: > Hey Greg, > > I wasn't particularly trying to actually generate that large amount of > strings in memory, I wa purposely trying to overflow the integer variable > "nelem"hoping to get Code Execution. This could potentially be a security > risk as shell shock was just more of a denial of service rather than > straight up code execution. However, just because I wasn't able to gain > control of the registers doesn't mean someone else with more skill can't. This is not a security risk. Shell shock was a security hole because the shell could be coerced into executing user-supplied code WITHOUT a way for a script to intervene. Any poorly-written shell script can do stupid things, including crashing bash because it overflows the heap by trying to allocate memory for such a stupidly large expansion. But unless the problem can be triggered without a script (the way shell shock executed user code before even starting to parse a script), then you can't exploit the problem to gain any more access to the system than you already have by being able to run a script in the first place. Fix your script to not do stupid things, like trying an insanely-large brace expansion, or trying an 'eval' (or similar) on untrusted user input. But don't call it a bash security hole that bash allows you to write stupid scripts. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Back to gnu.bash.bug | Previous | Next | Find similar
Re: Integer Overflow in braces Eric Blake <eblake@redhat.com> - 2015-08-17 16:15 -0700
csiph-web