Details:
First bug:
Due to a logic error in the ifsbreakup function in ash.c when a
heredoc and normal command is run one after the other by means of a
semi-colon, when the second command drops into ifsbreakup the command
will be evaluated with the ifslastp/ifsfirst struct that was set when
the here doc was evaluated. This results in a buffer over-read that
can leak the program's heap, stack, and arena addresses which can be
used to beat ASLR.
Second bug:
If the heap is sprayed with a certain amount of bash variables and
part of the first bug is sent, a predictable heap value can be free'd
and put into the tcache. After the heap value is free'd if the heap
was sprayed correctly, an attacker can overwrite the free’d tcache
address to obtain numerous write-what-where and the ability to
arbitrarily overwrite any writable memory address. This could lead to
a DoS, arbitrary code execution, or possible privilege escalation if
the setuid flag is set.
Steps to Reproduce:
First bug:
cmd args: ~/exampleDir/example> busybox ash
$ M='A'
$ q00(){
$ <<000;echo
$ ${D?$M$M$M$M$M$M}
$ 000
$ }
$ q00
Second bug:
cmd args: ~/exampleDir/example> busybox ash
$ AA
$ `spray 600 bash variables with size of 0x30 bytes`
$ `send bash variable with size of 0x20 bytes`
$ `send bash variable with size of 0x60 bytes`
$ `spray 12 bash variables with size of 0x20 bytes`
$ `Send part of first vulnerability`
$ <<00;V
$ ${x?0p$^?A<$B*442>$0bdbasdfg$0}
in this line are not meant to be entered in as is, but
instead shows amount of letter inside <> that would be entered in.>
$ 00
Patch:
Adding the following to ash.c will fix both bugs in one go.
--
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7030,6 +7030,7 @@
msg = umsg;
}
}
+ifsfree();
ash_msg_and_raise_error("%.*s: %s%s", (int)(end - var - 1), var, msg, tail);
}
@@ -7445,6 +7446,7 @@
if (discard)
return -1;
+ifsfree();
raise_error_syntax("bad substitution");
}
--
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
