version string can cause overflow and affect eip/rip (needs length check in version string)

Fri, 26 Sep 2014 01:19:38 -0700 

This isn't nearly as important as shellshock or whatever you want to call
it, but I found this while glancing at the source and the latest patch.
It's a funny little bug that I doubt could ever be useful for malicious
reasons, unless you can determine an address to jump to that is comprised
of all hex characters 30-39 (digits) due to the regex check on the version
string, and also if the "attacker" could set a version string.

Still, a bad version string in a configure shouldn't allow someone to jump
to an arbitrary address in memory. Might be a good idea to add a length
check in configure or make.

version I set in configure:
BASHVERS=4.44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444

(gdb) run
Starting program: ~/bash/bash-4.3/bash

Program received signal SIGSEGV, Segmentation fault.
0x0000000000*343434* in ?? ()
(gdb) bt
#0  0x0000000000343434 in ?? ()
#1  0x73696c6172746c75 in ?? ()
#2  0x000000000000006b in ?? ()
#3  0x0000000000000007 in ?? ()
#4  0x00007ffff7ffa250 in ?? ()
#5  0x0000002000000000 in ?? ()
#6  0x0000000000000000 in ?? ()

(gdb) i r
rax            0x70b508 7386376
rbx            *0x3434343434343434*       3761688987579986996
rcx            0x70b627 7386663
rdx            0x0      0
rsi            0x70b608 7386632
rdi            0x70b621 7386657
rbp            *0x3434343434343434*       *0x3434343434343434*
rsp            0x7fffffffdee0   0x7fffffffdee0
r8             0x0      0
r9             0x2      2
r10            0x705230 7361072
r11            0x7ffff7762780   140737345103744
r12            *0x3434343434343434*       3761688987579986996
r13            *0x3434343434343434*       3761688987579986996
r14            *0x3434343434343434*       3761688987579986996
r15            *0x3434343434343434*       3761688987579986996
rip            *0x343434* *0x343434*
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0

vulnerable code:

static void
make_vers_array ()
{
  SHELL_VAR *vv;
  ARRAY *av;
  char *s, d[32], b[INT_STRLEN_BOUND(int) + 1];

  unbind_variable ("BASH_VERSINFO");

  vv = make_new_array_variable ("BASH_VERSINFO");
  av = array_cell (vv);
*  strcpy (d, dist_version);*

There's already a regex check on the version string for [0-9] which is why
you are extremely limited to what you can do, but there should probably be
a length limit to 31 characters, in the configure or makefile or something.

Hope all is well now. I know it's been a busy week :)

Cheers,
Johan Nestaas

Reply via email to