bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Malicious translation file can cause buffer overflow


From: Pádraig Brady
Subject: Re: Malicious translation file can cause buffer overflow
Date: Fri, 01 May 2015 01:13:11 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0

On 30/04/15 23:08, Trammell Hudson wrote:
> Configuration Information [Automatically generated, do not change]:
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
> -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu' 
> -DCONF_VENDOR='unknown' -DLOCALEDIR='/tmp/local/share/locale' 
> -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I.. -I../include -I../lib   
> -g -O2
> uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9 
> 03:28:16 GMT 2014 x86_64 GNU/Linux
> Machine Type: x86_64-unknown-linux-gnu
> 
> Bash Version: 4.3
> Patch Level: 30
> Release Status: release
> 
> 
> Description:
> The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
> in jobs.c are copied to a static allocated buffer.  A user could set the
> LANGUAGE variable to point to a malicious translation file that has
> translations that are longer than 64-bytes for these strings to create
> a buffer overflow.
> 
> Since LANGUAGE is passed unchanged by sudo this might be usable for
> privilege escalation.
> 
> 
> Repeat-By:
> Create a .po file with a bogus translation:
> 
> #: jobs.c:1464 jobs.c:1489
> msgid "Done"
> msgstr "Klaar 
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
> 
> And start an interactive shell that puts a command into the background:
> 
> LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile  -norc
> $ sleep 1 &
> [1] 14464
> $ sleep 2
> [1]+ Klaar 
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
>                                                                         sleep 
> 1

How does one override the system translation?
I thought gettext only looks in the dir passed to bindtextdomain() ?




reply via email to

[Prev in Thread] Current Thread [Next in Thread]