Vigil@nce - bash: buffer overflow via fd
July 2012 by Marc Jacob
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a long descriptor name, to generate a buffer
overflow in bash, in order for example to escape from a restricted
shell.
Severity: 1/4
Creation date: 13/07/2012
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The bash (Bourne Again Shell, /bin/bash) program is a command
interpreter.
The ’-r’ option of bash starts a restricted shell, in order to
partition the user.
The internal command "test" (or ’[’) is used in shell scripts, to
detect if a file exists for example.
The test command emulates the special "/dev/fd/1" file, as the
file descriptor number one. In order to do so, the number after
"/dev/fd/" is stored in a 32 bytes array. However, if the number
is too long, a buffer overflow occurs in the sh_stat() function of
lib/sh/eaccess.c.
An attacker can therefore use a long descriptor name, to generate
a buffer overflow in bash, in order for example to escape from a
restricted shell.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/bash-buffer-overflow-via-fd-11770