[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Malicious translation file can cause buffer overflow
From: |
Pádraig Brady |
Subject: |
Re: Malicious translation file can cause buffer overflow |
Date: |
Fri, 01 May 2015 01:13:11 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 |
On 30/04/15 23:08, Trammell Hudson wrote:
> Configuration Information [Automatically generated, do not change]:
> Machine: x86_64
> OS: linux-gnu
> Compiler: gcc
> Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
> -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
> -DCONF_VENDOR='unknown' -DLOCALEDIR='/tmp/local/share/locale'
> -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -I. -I.. -I../include -I../lib
> -g -O2
> uname output: Linux hsthudson.aoa.twosigma.com 3.4.86-ts2 #3 SMP Wed Apr 9
> 03:28:16 GMT 2014 x86_64 GNU/Linux
> Machine Type: x86_64-unknown-linux-gnu
>
> Bash Version: 4.3
> Patch Level: 30
> Release Status: release
>
>
> Description:
> The gettext translated messages for "Done", "Done(%d)" and "Exit %d"
> in jobs.c are copied to a static allocated buffer. A user could set the
> LANGUAGE variable to point to a malicious translation file that has
> translations that are longer than 64-bytes for these strings to create
> a buffer overflow.
>
> Since LANGUAGE is passed unchanged by sudo this might be usable for
> privilege escalation.
>
>
> Repeat-By:
> Create a .po file with a bogus translation:
>
> #: jobs.c:1464 jobs.c:1489
> msgid "Done"
> msgstr "Klaar
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
>
> And start an interactive shell that puts a command into the background:
>
> LANGUAGE="nl.utf8" PS1='$ ' ./bash --noprofile -norc
> $ sleep 1 &
> [1] 14464
> $ sleep 2
> [1]+ Klaar
> 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
> sleep
> 1
How does one override the system translation?
I thought gettext only looks in the dir passed to bindtextdomain() ?
- Re: Malicious translation file can cause buffer overflow,
Pádraig Brady <=