[7993] in bugtraq
Re: BASH buffer overflow, LiNUX x86 exploit
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Sun Sep 20 01:37:13 1998
Date: Sat, 19 Sep 1998 19:14:06 -0700
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: MiG <mig@zeus.polsl.gliwice.pl>
To: BUGTRAQ@NETSPACE.ORG
While experimentin with MiG's exploit, I've discovered another ramification of this form of
vulnerability: the locate facility. If you leave the huge directory tree that this exploit
builds lying around over night, and you have locate installed in your crontab (default in Red
Hat Linux) then it builds a locate database entry that causes the locate command to seg fault.
Result: if root uses locate to find something (very common while sysadmin is trying to
fix/find something) then the attacker may get root privs via the locate command.
Related question: I have been unable to get MiG's exploit to work. I have RH 5.1 installed,
but I made sure to get bash 1.14.7(1) to test it. It builds the big nasty directory tree, but
cd'ing to it as instructed just produces a seg fault.
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Support Justice: Boycott Windows 98
