Path: csiph.com!au2pb.net!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!news.ripco.com!news.glorb.com!usenet.stanford.edu!not-for-mail From: Eric Blake Newsgroups: gnu.bash.bug Subject: Re: Integer Overflow in braces Date: Mon, 17 Aug 2015 16:15:50 -0700 Organization: Red Hat, Inc. Lines: 63 Approved: bug-bash@gnu.org Message-ID: References: <20150817122026.GT4309@eeg.ccf.org> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fHtDNDQ4LVFJw6vSVtf1Wd979NtULHUpN" X-Trace: usenet.stanford.edu 1439896681 6183 208.118.235.17 (18 Aug 2015 11:18:01 GMT) X-Complaints-To: action@cs.stanford.edu Cc: "bug-bash@gnu.org" To: Pasha K , Greg Wooledge Envelope-to: bug-bash@gnu.org Openpgp: url=http://people.redhat.com/eblake/eblake.gpg X-Enigmail-Draft-Status: N1110 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:11361 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fHtDNDQ4LVFJw6vSVtf1Wd979NtULHUpN Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/17/2015 09:58 AM, Pasha K wrote: > Hey Greg, >=20 > I wasn't particularly trying to actually generate that large amount of > strings in memory, I wa purposely trying to overflow the integer variab= le > "nelem"hoping to get Code Execution. This could potentially be a securi= ty > risk as shell shock was just more of a denial of service rather than > straight up code execution. However, just because I wasn't able to gain= > control of the registers doesn't mean someone else with more skill can'= t. This is not a security risk. Shell shock was a security hole because the shell could be coerced into executing user-supplied code WITHOUT a way for a script to intervene. Any poorly-written shell script can do stupid things, including crashing bash because it overflows the heap by trying to allocate memory for such a stupidly large expansion. But unless the problem can be triggered without a script (the way shell shock executed user code before even starting to parse a script), then you can't exploit the problem to gain any more access to the system than you already have by being able to run a script in the first place. Fix your script to not do stupid things, like trying an insanely-large brace expansion, or trying an 'eval' (or similar) on untrusted user input. But don't call it a bash security hole that bash allows you to write stupid scripts. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --fHtDNDQ4LVFJw6vSVtf1Wd979NtULHUpN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJV0msmAAoJEKeha0olJ0NqEdQH/ipr0Rateb2btzk7NuGYK5pO dL7ZlHC5uDXxhciKn2wRS9KfzSRpSvP2Zrv8V/BhRTdm+LtlckP5pyZ2Q7j6GG+1 BERLsO2abwWusrct4wNTFDnyLWEiM7HMAqPL20/ccIph+RBqK09RK6s/c5tVFqyS raNYhguVO/oNMJacLZLDbcXOTWUvMEUo+O6JdHm+rt29HHESB4Dfj3eG/UKtFGDP +7e5oPUlSM1ztyLiCWu9o958UTchcfRe27QWN3T8Rspg+W6pCpQDk/11IvGa+Xhq JrVRtXQ2FJEGMt5jQfCN5oQ5BNniwNBE3B4M6R1+XoiUNlmRVZTuyLTzLWD9rHk= =YDEg -----END PGP SIGNATURE----- --fHtDNDQ4LVFJw6vSVtf1Wd979NtULHUpN--