Ubuntu

grep <2.11 is vulnerable to "Arbitrary command execution"

Reported by Joshua Rogers on 2012-12-17
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
grep (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Lucid
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned

Bug Description

grep <2.11 is vulnerable to command execution vulnerability, and it is not possible to patch unless you build the source directly from the git repo.

ubuntu 12.04(And everything else, I would assume) uses version 2.10 of grep. it is not possible to upgrade without downloading the src and building it yourself.

PoC:

perl -e 'print "x"x(2**31)' | grep x > /dev/null

This is the grep news form for this:

 * Noteworthy changes in release 2.11 (2012-03-02) [stable]

  ** Bug fixes

    grep no longer dumps core on lines whose lengths do not fit in 'int'.
    (e.g., lines longer than 2 GiB on a typical 64-bit host).
    Instead, grep either works as expected, or reports an error.
    An error can occur if not enough main memory is available, or if the
    GNU C library's regular expression functions cannot handle such long lines.
    [bug present since "the beginning"]

Solution: Send out a grep update with atleast 2.11 grep from http://git.sv.gnu.org/cgit/grep.git

Full PoC of actually "abusing" this vulnerablility(ls -la within grep) can be provided, if 100% needed.

CVE References

information type: Private Security → Public Security
Karma Dorje (taaroa) on 2012-12-23
Changed in grep (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :

Thanks Joshua,

Kurt Seifried has expressed an interest in a reproducer, so if you have one available, please do attach it.

Joshua Rogers (megamansec) wrote :

perl -e 'print "x"x(2**31)' | grep x > /dev/null

just run that
if that's what you mean by a "reproducer"

Karma Dorje (taaroa) wrote :

Joshua Rogers
> Full PoC of actually "abusing" this vulnerablility(ls -la within grep) can be provided, if 100% needed.
We need it (full PoC).

Karma Dorje (taaroa) on 2012-12-28
tags: added: precise upgrade-software-version
Joshua Rogers (megamansec) wrote :

After more analysis, it may not be vulnerable to command execution.
Not sure.

Joshua Rogers (megamansec) wrote :

Under MORE analysis, it does appear to allow command execution, but I can't get the ls -la working.
I'm a noob at asm.

Jamie Strandboge (jdstrand) wrote :

This was fixed in 2.11-1, so Ubuntu 12.10 and 13.04 are not affected.

Changed in grep (Ubuntu Lucid):
status: New → Triaged
Changed in grep (Ubuntu Oneiric):
status: New → Triaged
Changed in grep (Ubuntu Precise):
status: New → Triaged
Changed in grep (Ubuntu Hardy):
status: New → Triaged
Changed in grep (Ubuntu Quantal):
status: New → Fix Released
Changed in grep (Ubuntu Raring):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against hardy is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in grep (Ubuntu Hardy):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in grep (Ubuntu Oneiric):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers