Re: Buffer overflow in /bin/bash

Kris Benson (doctorkb@NETBISTRO.COM)
Tue, 26 Aug 1997 17:01:53 -0700

On Thu, 21 Aug 1997, Razvan Dragomirescu wrote:

> PS1=\h:\w\$

[deletia]

> By writing past the end of this buffer, you can execute arbitrary code.

A similar thing can be accomplished with back ticks... try this:

PS1="\h:\w \`ls -C\`

It's a little easier, and (seemingly) accomplishes the same thing, does it
not, in addition to being platform independant?

If someone can modify your prompt, chances are they also have the ability
to modify your path. This could include a directory right at the start of
the path that has a trojan version of su(1) or something similar
installed.

Buffer overflows are cool, but more obvious things can be even more
insecure.

I'm not sure either of these are really security holes, but they may be
considered bugs -- something worth noting would be that noone should be
able to change these variables on you -- your .profile should be writeable
only by owner, and possibly only readable by owner, as well.

-kb