[10605] in bugtraq
Re: tcsh overflow
daemon@ATHENA.MIT.EDU (Philip Rowlands)
Sun May 23 13:41:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37459FDF.7874F522@doc.ic.ac.uk>
Date: Fri, 21 May 1999 19:03:11 +0100
Reply-To: phr@DOC.IC.AC.UK
From: Philip Rowlands <phr@DOC.IC.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
arkth wrote:
>
> While few days ago there was discussion about bash overflow on bugtraq i
> found another overflow in tcsh-6.07.09-1 [ rh 5.2 ].
> The problem is in too long $HOME evironment variable [ very old thing -
> zgv overflow ]. I don't know if it's a dangerous problem, but like someone
> said this shell can be used in some kind of script with SUID, etc.
>
From the tcsh changelog:
� 93. V6.07.12 - 19980918
90. Avoid buffer overflows in directory code (kim)
Looks like the fault you found was fixed in 6.07.12
However, I tried the "exploit" given using tcsh 6.08.04, and found that
tcsh still crashes, but this time with a SIGABRT rather than SIGSEGV.
Checking in the source shows:
/*
* kim: if the path given is too long abort().
*/
if (Strlen(cp) >= MAXPATHLEN)
abort();
i.e. this behaviour is hard coded in deliberately.
This is the stacktrace from GDB:
(gdb) bt
#0 0x40097781 in __kill ()
#1 0x400975af in raise (sig=6) at ../sysdeps/posix/raise.c:27
#2 0x400987bf in abort () at ../sysdeps/generic/abort.c:83
#3 0x804db5b in dcanon (cp=0x80aa808, p=0x80aa808) at sh.dir.c:829
#4 0x80553f5 in dosetenv (v=0x80b2a08, c=0x80b3fc8) at sh.func.c:1402
#5 0x8053c3e in func (t=0x80b3fc8, bp=0x80815d0) at sh.func.c:141
#6 0x805f677 in execute (t=0x80b3fc8, wanttty=22898, pipein=0x0,
pipeout=0x0)
at sh.sem.c:642
#7 0x805f831 in execute (t=0x80b3fa8, wanttty=22898, pipein=0x0,
pipeout=0x0)
at sh.sem.c:719
#8 0x804c1ac in process (catch=1) at sh.c:2094
#9 0x804b440 in main (argc=0, argv=0xbffff568) at sh.c:1312
Phil
