slocate vulnerability
From: Adam Gilmore (agilmore@optusnet.com.au)
Date: 01/29/03
- Previous message: Jeff Moss: "Black Hat Announcements"
- Next in thread: cdowns: "Re: slocate vulnerability"
- Reply: cdowns: "Re: slocate vulnerability"
- Reply: Barry K. Nathan: "Re: slocate vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Adam Gilmore" <agilmore@optusnet.com.au> To: <vuln-dev@securityfocus.com> Date: Wed, 29 Jan 2003 22:49:22 +1000
Below is an advisory on a buffer overflow in slocate 2.6.1. I can’t
replicate the same error in gdb as the advisory and I don’t believe it’s
a buffer overflow at all.
(gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x
1024"`
Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print
'A' x 1024"` -r `perl -e "print 'A' x 1024"`
warning: slocate: decode_db(): : No such file or directory
Program received signal SIGSEGV, Segmentation fault.
0x40079527 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x40079527 in vfprintf () from /lib/libc.so.6
#1 0x4009ab43 in vsnprintf () from /lib/libc.so.6
#2 0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s:
decode_db(): %s: %s\n") at misc.c:149
#3 0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>,
str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164
#4 0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549
#5 0x4003e280 in __libc_start_main () from /lib/libc.so.6
As far as I can see, the error is because the function report_error is
parsed the pointer database which is 0x19 (probably because the program
couldn’t get the config file or what not parsed with –c).
Anyone care to shed some light on the situation?
__________________________________________________
USG Security Advisory
http://www.usg.org.uk/advisories/2003.001.txt
inkubus@hushmail.com
USG- SA- 2003.001 24- Jan- 2003
__________________________________________________
Package: slocate
Vulnerability: local buffer overflow
Type: local
Risk: high, users can gain high privileges in the system.
System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM
Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman
Description:
Accordingly to research done by USG team members and Knight420 who
informed us
about this vulnerability a week earlier, there is a local buffer
overflow in th
e slocate package
shipped with the most newer RedHat distributions, we have tested the
vulnerabil
ity only in RedHat
Linux 7.2 and 7.3 but we think that other Linux/*nix systems that
provide sloca
te package may be
vulnerable too.
The overflow appears when the slocate is runned with two parameters: -c
and -r
, using as arguments a
1024 (or 10240, as Knight420 has informed us earlier) bytes string.
[inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate
slocate-2.6-1
-rwxr-sr-x 1 root slocate 25020 Jun 25 2001 /usr/bin/slocate
[inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
`perl
-e "print 'A' x 1024"`
Segmentation fault
[inkubus@USG audit]$ gdb /usr/bin/slocate
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)..
.
(gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
`perl -e
"print 'A' x 1024"`
warning: slocate: could not open database: /var/lib/slocate/slocate.db:
Permiss
ion denied
warning: You need to run the 'updatedb' command (as root) to create the
databas
e.
warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No
such fi
le or directory
warning: You need to run the 'updatedb' command (as root) to create the
databas
e.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging sym
bols found)...
Program received signal SIGSEGV, Segmentation fault.
0x42080b1b in strlen () from /lib/i686/libc.so.6
(gdb)
The exploitation is trivial, we have coded already a POC exploit that
will be p
ublished to the bugtraq
next days.
The author has been notified via: klindsay@mkintraweb.com
-------------------------------------------------------------------
inkubus@hushmail.com
Resistance is futile, you will be assimilated.
-------------------------------------------------------------------
EOF
- Next message: cdowns: "Re: slocate vulnerability"
- Previous message: Jeff Moss: "Black Hat Announcements"
- Next in thread: cdowns: "Re: slocate vulnerability"
- Reply: cdowns: "Re: slocate vulnerability"
- Reply: Barry K. Nathan: "Re: slocate vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
