[7995] in bugtraq
Re: BASH buffer overflow, LiNUX x86 exploit
daemon@ATHENA.MIT.EDU (J. Joseph Max Katz)
Sun Sep 20 13:05:53 1998
Date: Sat, 19 Sep 1998 22:48:46 -0700
Reply-To: "J. Joseph Max Katz" <jkatz@CPIO.NET>
From: "J. Joseph Max Katz" <jkatz@CPIO.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <360464ED.4129DC12@cse.ogi.edu>
Hmmmmmm, locate.
Long filenames affect locate on all platforms. One of the places
where I contract uses locate regularly on SunOS, AIX, Solaris and
HP/UX. On most if not all of those platforms, locate seg faults
on large file names.
-Jon
me ---> () () <-- Gale
_[]_._)(_
/^\/ | | \/^\ So what? ASCII can't do my car justice.
|*|| | O | ||*| Jonathan Katz, CEO CPIO Networks, Inc.
[o]| | o | |[o] (408) 569-7092 [ ] jkatz@cpio.net
\_/ \---------/ \_/ http://www.cpio.net [ ] "offering OpenBSD
<|=| -[58vette]- |=|> technical support, on-site Unix and
|=| |=| network security services and training."
On Sat, 19 Sep 1998, Crispin Cowan wrote:
:Date: Sat, 19 Sep 1998 19:14:06 -0700
:From: Crispin Cowan <crispin@CSE.OGI.EDU>
:To: BUGTRAQ@NETSPACE.ORG
:Subject: Re: BASH buffer overflow, LiNUX x86 exploit
:
:While experimentin with MiG's exploit, I've discovered another
ramification of this form of
:vulnerability: the locate facility. If you leave the huge directory
tree that this exploit
:builds lying around over night, and you have locate installed in your
crontab (default in Red
:Hat Linux) then it builds a locate database entry that causes the
locate command to seg fault.
:Result: if root uses locate to find something (very common while
sysadmin is trying to
:fix/find something) then the attacker may get root privs via the locate
command.
:
:Related question: I have been unable to get MiG's exploit to work.
I have RH 5.1 installed,
:but I made sure to get bash 1.14.7(1) to test it. It builds the big
nasty directory tree, but
:cd'ing to it as instructed just produces a seg fault.
