SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   ls Vendors:   GNU [multiple authors]
GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
SecurityTracker Alert ID:  1007981
SecurityTracker URL:  http://securitytracker.com/id/1007981
CVE Reference:   CVE-2003-0853, CVE-2003-0854   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Oct 22 2003
Impact:   Denial of service via local system, Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the GNU/Linux 'ls' utility. A remote user may be able to cause denial of service conditions by exploiting /bin/ls via remote applications, such as wu-ftpd.

Georgi Guninski reported an integer overflow in /bin/ls. Also, applications that invoke /bin/ls may be subject to denial of service attacks, the report said. A remote user may be able to cause an application (such as wu-ftpd) to invoke ls with the '-w' column width option and the '-C' option to consume a large amount of memory for a temporary period of time. The init_column_info() function will potentially allocate much more memory than is needed to display the relevant files. This can reportedly cause temporary denial of service conditions.

As a demonstration exploit of the memory consumption flaw, the following command can be used via wu-ftpd:

ls "-w 1000000 -C"

As a demonstration exploit for the integer overflow flaw, the following local command can be used:

/bin/ls -w 1073741828 -C

The /bin/ls utility is part of the GNU coreutils collection.

The original advisory is available at:

http://www.guninski.com/binls.html

Impact:   A remote user may be able to cause applications using /bin/ls to experience denial of service conditions.
Solution:   A fix is available via CVS. For more information on the patches, see:

http://mail.gnu.org/archive/html/bug-coreutils/2003-10/msg00070.html

Cause:   State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 22 2003 (Conectiva Issues Fix) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
Conectiva has released a fix.
Nov 1 2003 (Immunix Issues Fix) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
Immunix has released a fix for 'fileutils'.
Nov 3 2003 (Red Hat Issues Fix) Re: GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
Red Hat has issued a fix.
Nov 14 2003 (Red Hat Issues Fix for Enterprise Linux) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
Red Hat has released a fix for Enterprise Linux 2.1.
Nov 17 2003 (Trustix Issues Fix) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
Trustix has released a fix.
Nov 28 2003 (Turbolinux Issues Fix) Re: GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
Turbolinux has issued a fix.
Feb 17 2004 (Sun Issues Fix for Cobalt RaQ) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
A fix is available for Cobalt RaQ.
Mar 5 2004 (SCO Issues Fix for OpenLinux) GNU/Linux '/bin/ls' Memory Allocation May Let Remote Users Deny Service Via Other Applications
SCO has issued a fix for OpenLinux 3.1.1.



 Source Message Contents

Subject:  [Full-Disclosure] Fun with /bin/ls, yet still ls better than windows


Georgi Guninski security advisory #62, 2003

Fun with /bin/ls, yet still ls better than windows

Systems affected:
coreutils  - /bin/ls, wu-ftpd DoS
Fixed in CVS


Risk: Low
Date: 22 October 2003

Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/binls.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
/bin/ls is used in wu-ftpd. There is remote denial of service involving
/bin/ls - the result is great memory consumption. In addition, there is an
integer overflow in /bin/ls, which seems non exploitable.

Details:
To check the DoS attack, in wu-ftpd try:
ls "-w 1000000 -C"

The integer overflow is demonstrated by this:
-------------------------------------
valgrind /bin/ls -w 1073741828 -C


==21243== Invalid write of size 4
==21243==    at 0x804E498: (within /bin/ls)
==21243==    by 0x804CC3C: (within /bin/ls)
==21243==    by 0x804B721: (within /bin/ls)
==21243==    by 0x8049F74: (within /bin/ls)
==21243==    Address 0x41430CC8 is 8 bytes after a block of size 8 alloc'd
==21243==    at 0x40160504: malloc (vg_clientfuncs.c:100)
==21243==    by 0x80534D0: (within /bin/ls)
==21243==    by 0x804E4FB: (within /bin/ls)
==21243==    by 0x804CC3C: (within /bin/ls)

The heap is quite screwed, but ls is killed by the kernel due to memory usage.
------------------------------------



Vendor status:
coreutils developers were notified on Sun, 12 Oct 2003
It was fixed in CVS on the same day.
Fix in this thread:
http://mail.gnu.org/archive/html/bug-coreutils/2003-10/msg00070.html

Regards,
Georgi Guninski
http://www.guninski.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC