Re: slocate bug.

From: jaytee@email.it
Date: 02/14/02


Date: Thu, 14 Feb 2002 22:49:11 +0100
From: "jaytee@email.it" <jaytee@email.it>
To: dotslash@snosoft.com

Same error on RedHat 7.2 kernel 2.4.17

> Heres the details on Mandrake Linux
>
> [elguapo@linux elguapo]$ ls -al `which slocate`
> -rwxr-sr-x 2 root slocate 24956 Apr 6 2001
> /usr/bin/slocate*
> [elguapo@linux elguapo]$ uname -a
> Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686
> unknown
> [elguapo@linux elguapo]$ cat /etc/redhat-release
> Linux Mandrake release 8.0 (Traktopel) for i586
> [elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'`
> Segmentation fault
>
> (gdb) r -r `perl -e 'print "A" x 65026'`
> Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'`
> (no debugging symbols found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x400eeb69 in regerror () from /lib/libc.so.6
> (gdb) bt
> #0 0x400eeb69 in regerror () from /lib/libc.so.6
> #1 0x0804aa99 in strcpy ()
>
> gdb) i r
> eax 0x400 1024
> ecx 0xd 13
> edx 0x0 0
> ebx 0x40149f2c 1075093292
> esp 0xbffef8f0 0xbffef8f0
> ebp 0xbffef908 0xbffef908
> esi 0x40141304 1075057412
> edi 0x0 0
> eip 0x400eeb69 0x400eeb69
>
> -KF
> Ehud Tenenbaum wrote:
> >
> > Hey,
> >
> > Its a good time to announce that 2xs security LTD. decided to
> > create a research team in order to focus on finding new bugs,
> > further more we managed to develop a security tool to discover
> > bugs/security flaws. In the near future, the tool itself will became
> > an open source project.
> >
> > slocate (Secure locate) coming with the default installation in
redhat
> > linux suid to slocate.
> >
> > bash-2.05$ ls -al /usr/bin/slocate
> > -rwxr-sr-x 1 root slocate 20880 dec 18 2000
/usr/bin/slocate
> >
> > bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
> > Segmentation fault
> >
> > bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
> > [...] no segfault [...]
> >
> > We found non exploitble bug which pointed out by KoSak (Cabezon
Aurilien
> > aurelien.cabezon@isecurelabs.com)
> >
> > the segfault is due to a null pointer,
> > because regcomp() will return 0 when the buffer is bigger
> > than 65028 bytes -> then, regerr() will be called but the
> > programmer forgot to allocate his errbuf variable,
> > so it is called with errbuf=NULL. (See line 1193, main.c).
> >
> > should anyone have questions or comments you can email us:
> >
> > analyzer@2xss.com
> > izik@2xss.com
> > mixter@2xss.com
> >
> > --
> > ------------
> > Ehud Tenenbaum
> > C.T.O & Project Manager
> > 2xs LTD.
> > Tel: 972-9-9519980
> > Fax: 972-9-9519982
> > E-Mail: ehud@2xss.com
> > ------------
> > Have A Safe Day
>

--
Prendi GRATIS l'email universale che... risparmia: http://www.email.it/f

Sponsor: Obiettivo Laurea? vuoi migliorare il tuo metodo di studio? Per informazioni Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=213&d=14-2



Relevant Pages

  • Re: redhat problem
    ... i have a REDHAT 9 server which is refusing to boot giving me segmentation fault .. ... but in rescue mode i can see all partitions and is fine. ... also i tried to reinstall REDHAT 9 but it everthing goes fine but when it start to copy files it copies the first file .. ...
    (RedHat)
  • Re: redhat problem
    ... i have a REDHAT 9 server which is refusing to boot giving me segmentation fault .. ... but in rescue mode i can see all partitions and is fine. ... but when it start to copy files it copies the first file .. ...
    (RedHat)
  • Re: What is wrong with pthread_kill on Redhat Linux ???
    ... anoop_kn@yahoo.com (Anoop Kumar) writes: ... But instead it causes a segmentation fault. ... It's a weakness in the new NPTL thread library used by redhat 9. ... pthread_kill and a few other functions cast the pthread_t to a pointer ...
    (comp.unix.programmer)
  • Re: What is wrong with pthread_kill on Redhat Linux ???
    ... >>According to the POSIX standard if the thread doesn't exist it should ... >>set errno to ESRCH. ... But instead it causes a segmentation fault. ... > It's a weakness in the new NPTL thread library used by redhat 9. ...
    (comp.unix.programmer)
  • Re: Bus Error v Segmentation Fault
    ... Bus error meant that the pointer had a value that the memory bus ... Segmentation fault meant that the address was outside the bounds of the ...
    (comp.unix.programmer)