[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ksh / CVE-2019-14868

Ola Lundqvist <ola@inguza.com> writes:

> Interesting. I wonder how I concluded that it was just arithmetic
> expressions. Do you want me to re-check it?

Yes please, might be a good idea.

> Segmentation faults can be problematic too, but it looks like we have
> some protection against this CVE already. The question is whether the
> subshell is actually executed before the sigsegv.

According to strace, does appear to be the case.

I just noticed when I try to run this inside gdb it works fine:

(stretch-amd64-default)root@silverfish:/home/brian# SHLVL='2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]' gdb /usr/bin/ksh
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/ksh...(no debugging symbols found)...done.
(gdb) show environment SHLVL
SHLVL = 2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]
(gdb) r
Starting program: /usr/bin/ksh 
# echo $SHLVL
1
# 
[Inferior 1 (process 16002) exited normally]
(gdb) q


Tried again with a core file, but looks like I will need to recompile
with debugging symbols:

(stretch-amd64-default)root@silverfish:/home/brian# gdb /usr/bin/ksh core 
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/ksh...(no debugging symbols found)...done.

warning: core file may not match specified executable file.
[New LWP 16516]
Core was generated by `/usr/bin/ksh'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055db50ac8501 in ?? ()
(gdb) bt
#0  0x000055db50ac8501 in ?? ()
#1  0x000055db50af5b11 in ?? ()
#2  0x000055db50af645f in ?? ()
#3  0x000055db50afae8f in ?? ()
#4  0x000055db50af2c1f in ?? ()
#5  0x000055db50ad5577 in ?? ()
#6  0x000055db50ad2316 in ?? ()
#7  0x000055db50ad4c8e in ?? ()
#8  0x000055db50ad5000 in ?? ()
#9  0x000055db50aadb15 in ?? ()
#10 0x000055db50aae3a4 in ?? ()
#11 0x000055db50aefd24 in ?? ()
#12 0x000055db50af106c in ?? ()
#13 0x000055db50aad792 in ?? ()
#14 0x000055db50ad9294 in ?? ()
#15 0x000055db50abec72 in ?? ()
#16 0x000055db50aa38dd in ?? ()
#17 0x00007f2658ae42e1 in __libc_start_main (main=0x55db50aa3650, argc=1, argv=0x7ffe505157a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe50515798) at ../csu/libc-start.c:291
#18 0x000055db50aa368a in ?? ()


-- 
Brian May <bam@debian.org>
Reply to: