Bug 118642 - Coreutils 'dir' integer overflow vulnerability.
Summary: Coreutils 'dir' integer overflow vulnerability.
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: coreutils
Version: 3.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-18 15:57 UTC by Igor
Modified: 2007-11-30 22:07 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2004-12-09 16:31:49 UTC


Attachments (Terms of Use)

Description Igor 2004-03-18 15:57:12 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

Description of problem:
Bug: DoS / possible arbitrary code execution.
Impact: Attacker's can cause MASS consumption of CPU utilisation and
usage of memory, by corrupting the stack. Possible code execution.


Version-Release number of selected component (if applicable):
coreutils-4.5.3-26

How reproducible:
Always

Steps to Reproduce:
1. Just run in shell$ dir -w 1073741828


Actual Results:  mass CPU utilisation will be used

Additional info:

If invoked via a debugging tool such as 'Valgrind', one can see the
consequences of the integer overflow taking place

Comment 1 Tim Waugh 2004-03-18 16:24:04 UTC
Well, you are already in a shell there.

Perhaps you are thinking of an exploit via an FTP server?  vsftpd uses
its own internal ls.

Or is there a different vector you are thinking of?

Comment 2 Igor 2004-03-19 06:30:17 UTC
I can create simple php script, for example, post it to a hosting
site, and hang the server if it not limit resources. Most admins of
the small ISP hosting sites don't limit memory and cpy resources. :)

Comment 3 Mark J. Cox 2004-03-25 10:43:47 UTC
If an ISP allows you to run arbitrary php scripts then there are many
other ways you can cause similar effects even without this flaw being
present.


Note You need to log in before you can comment on or make changes to this bug.