Re: Use-After-Free in Bash

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use-After-Free in Bash

From:	Chet Ramey
Subject:	Re: Use-After-Free in Bash
Date:	Tue, 30 Oct 2018 21:47:28 -0400
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 10/30/18 9:19 PM, Eduardo Bustamante wrote:
> On Tue, Oct 30, 2018 at 1:03 PM Corbin Souffrant
> <corbin.souffrant@gmail.com> wrote:
> (...)
>> I found a reproducible use-after-free in every version of Bash from
>> 4.4-5.0beta, that could potentially be used to escape restricted mode. I
>> say potentially, because I can get it to crash in restricted mode, but I
>> haven't gone through the effort of attempting to heap spray to overwrite
>> function pointers.
> 
> Disclaimer: I'm not a maintainer.
> 
> Did you check the `devel' branch in the git repository?

He did; I just fixed it today.

> I don't think the restricted mode is really advertised as a powerful
> security feature, so IMO you should be able to report it here. If
> you're worried though, you can always email Chet Ramey directly.

I looked at it and can't see how to exploit it to execute arbitrary code.
It's also only a problem if you're not using the bash malloc.


Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

[Prev in Thread]

Current Thread

[Next in Thread]

Use-After-Free in Bash, Corbin Souffrant, 2018/10/30
- Re: Use-After-Free in Bash, Eduardo Bustamante, 2018/10/30
  - Re: Use-After-Free in Bash, Chet Ramey <=
- Re: Use-After-Free in Bash, Corbin Souffrant, 2018/10/30

Prev by Date: Re: Use-After-Free in Bash
Next by Date: make distclean and bash-4.4 - FYI
Previous by thread: Re: Use-After-Free in Bash
Next by thread: Re: Use-After-Free in Bash
Index(es):
- Date
- Thread