Grep Integer Overflow

2012-12-31T00:00:00
ID PACKETSTORM:119170
Type packetstorm
Reporter Joshua Rogers
Modified 2012-12-31T00:00:00

Description

                                        
                                            `Grep <2.11 is vulnerable to int overflow exploitation.  
  
http://lists.gnu.org/archive/html/bug-grep/2012-03/msg00007.html  
  
Although it is patched in the recent Grep,  
This update has not been pushed to the Ubuntu repos, or the Redhat  
repos, leaving 99% of those OS's(and more) vulnerable.  
  
  
There are also many other ways to do this bug.  
  
It is low severity because it would be extremely hard to actually  
exploit it, and it is a local exploit, and it is not run by root.  
  
Found By: Security Researcher - Joshua Rogers  
  
  
More:  
https://bugzilla.redhat.com/show_bug.cgi?id=889935  
https://bugs.launchpad.net/ubuntu/+source/grep/+bug/1091473  
http://seclists.org/oss-sec/2012/q4/504  
etc.  
  
#There are many ways of doing this.  
  
#Method one:  
$ perl -e 'print "x"x(2**31)' | grep x > /dev/null  
Segmentation fault (core dumped)  
  
  
#Method two:  
$ perl -e 'print "\nx"x(2**31)' | grep -c x > /dev/null  
  
  
Twitter: https://twitter.com/MegaManSec  
  
  
CVE: CVE-2012-5667  
--   
*Joshua Rogers* - Retro Game Collector && IT Security Specialist  
gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg>  
  
`