tcsh.6.07.bof.txt

`Date: Mon, 17 May 1999 09:53:19 +0200  
From: arkth <[email protected]>  
To: [email protected]  
Subject: tcsh overflow  
  
While few days ago there was discussion about bash overflow on bugtraq i  
found another overflow in tcsh-6.07.09-1 [ rh 5.2 ].  
The problem is in too long $HOME evironment variable [ very old thing -  
zgv overflow ]. I don't know if it's a dangerous problem, but like someone  
said this shell can be used in some kind of script with SUID, etc.  
  
example:  
$ HOME=AAAAAAAAAAAAAAA...AAA  
$ export HOME  
$ tcsh  
Segmentation fault (core dumped)  
$ gdb tcsh core  
GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support  
Copyright 1998 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you are  
welcome to change it and/or distribute copies of it under certain conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i386-redhat-linux"...  
(no debugging symbols found)...  
Core was generated by `-csh'.  
Program terminated with signal 11, Segmentation fault.  
Reading symbols from /lib/libnsl.so.1...done.  
Reading symbols from /lib/libtermcap.so.2...done.  
Reading symbols from /lib/libcrypt.so.1...done.  
Reading symbols from /lib/libc.so.6...done.  
Reading symbols from /lib/ld-linux.so.2...done.  
Reading symbols from /lib/libnss_files.so.1...done.  
#0 0x410041 in ?? ()  
(gdb)  
  
hmmm... that's all =)  
sorry, if it's not a new thing, but i haven't seen anything like this  
before on bugtraq...  
arkth [holix inc.]  
--  
mail: [email protected]  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 21 May 1999 19:03:11 +0100  
From: Philip Rowlands <[email protected]>  
To: [email protected]  
Subject: Re: tcsh overflow  
  
arkth wrote:  
>  
> While few days ago there was discussion about bash overflow on bugtraq i  
> found another overflow in tcsh-6.07.09-1 [ rh 5.2 ].  
> The problem is in too long $HOME evironment variable [ very old thing -  
> zgv overflow ]. I don't know if it's a dangerous problem, but like someone  
> said this shell can be used in some kind of script with SUID, etc.  
>  
  
>From the tcsh changelog:  
  
^X 93. V6.07.12 - 19980918  
90. Avoid buffer overflows in directory code (kim)  
  
Looks like the fault you found was fixed in 6.07.12  
  
However, I tried the "exploit" given using tcsh 6.08.04, and found that  
tcsh still crashes, but this time with a SIGABRT rather than SIGSEGV.  
  
Checking in the source shows:  
  
/*  
* kim: if the path given is too long abort().  
*/  
if (Strlen(cp) >= MAXPATHLEN)  
abort();  
  
i.e. this behaviour is hard coded in deliberately.  
  
This is the stacktrace from GDB:  
  
(gdb) bt  
#0 0x40097781 in __kill ()  
#1 0x400975af in raise (sig=6) at ../sysdeps/posix/raise.c:27  
#2 0x400987bf in abort () at ../sysdeps/generic/abort.c:83  
#3 0x804db5b in dcanon (cp=0x80aa808, p=0x80aa808) at sh.dir.c:829  
#4 0x80553f5 in dosetenv (v=0x80b2a08, c=0x80b3fc8) at sh.func.c:1402  
#5 0x8053c3e in func (t=0x80b3fc8, bp=0x80815d0) at sh.func.c:141  
#6 0x805f677 in execute (t=0x80b3fc8, wanttty=22898, pipein=0x0,  
pipeout=0x0)  
at sh.sem.c:642  
#7 0x805f831 in execute (t=0x80b3fa8, wanttty=22898, pipein=0x0,  
pipeout=0x0)  
at sh.sem.c:719  
#8 0x804c1ac in process (catch=1) at sh.c:2094  
#9 0x804b440 in main (argc=0, argv=0xbffff568) at sh.c:1312  
  
  
  
Phil  
  
`