Bug 118642 - Coreutils 'dir' integer overflow vulnerability.
Summary: Coreutils 'dir' integer overflow vulnerability.
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: coreutils
Version: 3.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-03-18 15:57 UTC by Igor
Modified: 2007-11-30 22:07 UTC (History)
0 users

Clone Of:
Last Closed: 2004-12-09 16:31:49 UTC

Attachments (Terms of Use)

Description Igor 2004-03-18 15:57:12 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

Description of problem:
Bug: DoS / possible arbitrary code execution.
Impact: Attacker's can cause MASS consumption of CPU utilisation and
usage of memory, by corrupting the stack. Possible code execution.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Just run in shell$ dir -w 1073741828

Actual Results:  mass CPU utilisation will be used

Additional info:

If invoked via a debugging tool such as 'Valgrind', one can see the
consequences of the integer overflow taking place

Comment 1 Tim Waugh 2004-03-18 16:24:04 UTC
Well, you are already in a shell there.

Perhaps you are thinking of an exploit via an FTP server?  vsftpd uses
its own internal ls.

Or is there a different vector you are thinking of?

Comment 2 Igor 2004-03-19 06:30:17 UTC
I can create simple php script, for example, post it to a hosting
site, and hang the server if it not limit resources. Most admins of
the small ISP hosting sites don't limit memory and cpy resources. :)

Comment 3 Mark J. Cox 2004-03-25 10:43:47 UTC
If an ISP allows you to run arbitrary php scripts then there are many
other ways you can cause similar effects even without this flaw being

Note You need to log in before you can comment on or make changes to this bug.