[2314] in bugtraq
csh denial of service attack
daemon@ATHENA.MIT.EDU (Casper)
Sat Oct 28 22:49:14 1995
Date: Thu, 26 Oct 1995 09:59:50 +0100
Reply-To: Paul.Schenk@cern.ch
From: Casper <pschenk@hpopb1.cern.ch>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
I know this is probably a bit lame, but I thought you might all be amused
by it. It would be possible to bring your machine to its knees doing this.
This works on SGI challenge XL machines running IRIX 5.3 and HP9000/700
machines running HPUX 9.X. On an HP K series running 10.X it seems to be
fixed.
For some reason the C shell does name globbing in a very strange way.
This is not the case for sh, ksh and tcsh. A few stars in the string will
make csh loop for a very long time (over 24 hours on a challenge XL),
with only kill -9 able to stop it (that is at least documented in the csh
man page).
Here's the example
|I /bin/ksh
:-M ***********8
/bin/ksh: ***********8: not found
|I /bin/sh
$ ************8
************8: not found
|I /bin/csh
nodename : **************8
<now there is a csh taking close to 100% of the cpu>
So just start of few of these and your loadlevel will go through the
roof. The '8' at the end can be any character. csh handles the '******'
case without a trailing character correctly. It makes no difference if
the string matches a file or not, just that there is a trailing character.
Ciao,
Casper
Paul Schenk | University of California, Riverside
Paul.Schenk@cern.ch | CERN PPE / OPAL
PGP public key available by arrangement
"Verbing weirds language" - Calvin
