Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #11362
| Path | csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Dan Douglas <ormaaj@gmail.com> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: Integer Overflow in braces |
| Date | Tue, 18 Aug 2015 07:54:48 -0500 |
| Lines | 61 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.8513.1439902519.904.bug-bash@gnu.org> (permalink) |
| References | <CABq52TYThGj9OtBn3xTti5scmA=WdnS7ULw3G6GMayPK6WR0+w@mail.gmail.com> <CABq52TbKZCK8ci5ra_N4pfVB3jXGCdf-ZCG=k35c+_fVehfzFg@mail.gmail.com> <55D26B26.2060008@redhat.com> |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | multipart/signed; boundary="nextPart3429148.enCA8otJpH"; micalg="pgp-sha1"; protocol="application/pgp-signature" |
| X-Trace | usenet.stanford.edu 1439902520 9386 208.118.235.17 (18 Aug 2015 12:55:20 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | Greg Wooledge <wooledg@eeg.ccf.org>, Eric Blake <eblake@redhat.com>, Pasha K <pashakravtsov@gmail.com> |
| To | bug-bash@gnu.org |
| Envelope-to | bug-bash@gnu.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:user-agent:in-reply-to :references:mime-version:content-type; bh=sOfWbN1w8986LOO3e70qKBGWF8Gc+CJX3Jg1665Xj+s=; b=LAYsAMGr9OEIOxEtIzLc3JGiXiPP9VrVRfQhw5NWLfhhuYYMhEWW3XXFn9Lc7ahsbk HQBo73hu0Gg3q02mViEzfZ1KHbsWikKIy4YO6fqYvkjljcBSp0Cv3LH1hOvMB1xqPNSD rEs2ln9y2Vn3nhag8g2Wx/z76OcAVfqjaXrfes4wUK1uXVgrFPad0BSNQZhuLyLHQDpk AJEejSq1d2AbNluP9ACoHZ1/8pK+tB6MvNAO2drYOuLA/mvbkja3MkF75AKbjWvGqAuV 8EBAhYmA3xHdc+uX1RFZnWllOfTeor3GAAB7bXBIq4eNoyAwnfQGlv/YQqcE8qjWsDm+ f4Ig== |
| X-Received | by 10.107.154.13 with SMTP id c13mr6696054ioe.104.1439902508822; Tue, 18 Aug 2015 05:55:08 -0700 (PDT) |
| User-Agent | KMail/5.0.41 alpha1 (Linux/4.2.0-rc7; KDE/5.14.0; x86_64; ; ) |
| In-Reply-To | <55D26B26.2060008@redhat.com> |
| X-detected-operating-system | by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). |
| X-Received-From | 2607:f8b0:4001:c06::22d |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.14 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:11362 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
On Monday, August 17, 2015 04:15:50 PM Eric Blake wrote:
> On 08/17/2015 09:58 AM, Pasha K wrote:
> > Hey Greg,
> >
> > I wasn't particularly trying to actually generate that large amount of
> > strings in memory, I wa purposely trying to overflow the integer variable
> > "nelem"hoping to get Code Execution. This could potentially be a security
> > risk as shell shock was just more of a denial of service rather than
> > straight up code execution. However, just because I wasn't able to gain
> > control of the registers doesn't mean someone else with more skill can't.
>
> This is not a security risk.
>
> Shell shock was a security hole because the shell could be coerced into
> executing user-supplied code WITHOUT a way for a script to intervene.
>
> Any poorly-written shell script can do stupid things, including crashing
> bash because it overflows the heap by trying to allocate memory for such
> a stupidly large expansion. But unless the problem can be triggered
> without a script (the way shell shock executed user code before even
> starting to parse a script), then you can't exploit the problem to gain
> any more access to the system than you already have by being able to run
> a script in the first place.
>
> Fix your script to not do stupid things, like trying an insanely-large
> brace expansion, or trying an 'eval' (or similar) on untrusted user
> input. But don't call it a bash security hole that bash allows you to
> write stupid scripts.
>
>
IMHO the issue of whether the integer is allowed to overflow is separate from
the question of whether the resulting expansion is "too big". Code that does
an `eval "blah{0..$n}"` is reasonably common and not necessarily stupid.
--
Dan Douglas
Back to gnu.bash.bug | Previous | Next | Find similar
Re: Integer Overflow in braces Dan Douglas <ormaaj@gmail.com> - 2015-08-18 07:54 -0500
csiph-web