On 2/19/17 9:11 PM, kkk K wrote:
> okļ¼one poc I think should like this:
> =========================
> #!/bin/bash
> a="1||"
> b=`printf "%.s"$a {1..50000}`"1"
> eval $b
> =========================
> this code will make a segment fault, of cource , eval or printf actually is
> not necessary,
> the problem is about the "1 || 1 || .... 1" expression,
> parser in interpreting OR Expressions did not take recursive stack
> overflow into condsider,
> Will you take this as a security bug ?
Why do you consider this a security bug? You overflow the process's stack
in exactly the same way you did before. How does this elevate privilege?
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU [email protected] http://cnswww.cns.cwru.edu/~chet/
