Re: slocate vulnerability

• Previous message: cdowns: "Re: slocate vulnerability"
• In reply to: cdowns: "Re: slocate vulnerability"
• Next in thread: Barry K. Nathan: "Re: slocate vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 29 Jan 2003 16:57:25 -0600
From: j0ker <j0ker@olives.ath.cx>
To: vuln-dev@securityfocus.com

I was worried I was the only one, but don't have enough experiance to
write here and be the first to say. In fact, I have found that using
slocate -c something -r something ALWAYS yields a Segmentation Fault in
version 2.6 on my box at least.

-- j0ker

cdowns wrote:

> I as well was playing around with this and am getting the same results
> you are.
>
> ~!>D
>
> Adam Gilmore wrote:
>
>> Below is an advisory on a buffer overflow in slocate 2.6.1. I can’t
>> replicate the same error in gdb as the advisory and I don’t believe it’s
>> a buffer overflow at all.
>>
>> (gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x
>> 1024"`
>> Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print
>> 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
>> warning: slocate: decode_db(): : No such file or directory
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x40079527 in vfprintf () from /lib/libc.so.6
>> (gdb) bt
>> #0 0x40079527 in vfprintf () from /lib/libc.so.6
>> #1 0x4009ab43 in vsnprintf () from /lib/libc.so.6
>> #2 0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s:
>> decode_db(): %s: %s\n") at misc.c:149
>> #3 0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>,
>> str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164
>> #4 0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549
>> #5 0x4003e280 in __libc_start_main () from /lib/libc.so.6
>>
>> As far as I can see, the error is because the function report_error is
>> parsed the pointer database which is 0x19 (probably because the program
>> couldn’t get the config file or what not parsed with –c).
>>
>> Anyone care to shed some light on the situation?
>>
>>
>> __________________________________________________
>> USG Security Advisory http://www.usg.org.uk/advisories/2003.001.txt
>> inkubus@hushmail.com USG- SA- 2003.001 24- Jan- 2003
>> __________________________________________________
>> Package: slocate Vulnerability: local buffer overflow Type: local
>> Risk: high, users can gain high privileges in the system. System
>> tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM
>> Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman
>> Description: Accordingly to research done by USG team members and
>> Knight420 who
>> informed us about this vulnerability a week earlier, there is a local
>> buffer
>> overflow in th
>> e slocate package shipped with the most newer RedHat distributions,
>> we have tested the
>> vulnerabil
>> ity only in RedHat Linux 7.2 and 7.3 but we think that other
>> Linux/*nix systems that
>> provide sloca
>> te package may be vulnerable too. The overflow appears when the
>> slocate is runned with two parameters: -c
>> and -r
>> , using as arguments a 1024 (or 10240, as Knight420 has informed us
>> earlier) bytes string. [inkubus@USG audit]$ rpm -qf /usr/bin/slocate
>> && ls -al /usr/bin/slocate
>>
>> slocate-2.6-1 -rwxr-sr-x 1 root slocate 25020 Jun 25 2001
>> /usr/bin/slocate
>>
>> [inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
>> `perl -e "print 'A' x 1024"` Segmentation fault [inkubus@USG audit]$
>> gdb /usr/bin/slocate GNU gdb Red Hat Linux (5.1.90CVS-5) Copyright
>> 2002 Free Software Foundation, Inc. GDB is free software, covered by
>> the GNU General Public License, and you
>> are welcome to change it and/or distribute copies of it under certain
>> conditions. Type "show copying" to see the conditions. There is
>> absolutely no warranty for GDB. Type "show warranty" for
>> details. This GDB was configured as "i386-redhat-linux"...(no
>> debugging symbols
>> found)..
>> . (gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x
>> 1024"` Starting program: /usr/bin/slocate -c `perl -e "print 'A' x
>> 1024"` -r
>> `perl -e "print 'A' x 1024"` warning: slocate: could not open
>> database: /var/lib/slocate/slocate.db:
>> Permiss
>> ion denied warning: You need to run the 'updatedb' command (as root)
>> to create the
>> databas
>> e. warning: slocate: decode_db():
>> ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No
>> such fi
>> le or directory warning: You need to run the 'updatedb' command (as
>> root) to create the
>> databas
>> e. (no debugging symbols found)...(no debugging symbols found)...(no
>> debugging sym
>> bols found)... Program received signal SIGSEGV, Segmentation fault.
>> 0x42080b1b in strlen () from /lib/i686/libc.so.6 (gdb)
>> The exploitation is trivial, we have coded already a POC exploit that
>> will be p
>> ublished to the bugtraq next days. The author has been notified via:
>> klindsay@mkintraweb.com
>> -------------------------------------------------------------------
>> inkubus@hushmail.com Resistance is futile, you will be assimilated.
>> ------------------------------------------------------------------- EOF
>>
>

• Next message: Barry K. Nathan: "Re: slocate vulnerability"
• Previous message: cdowns: "Re: slocate vulnerability"
• In reply to: cdowns: "Re: slocate vulnerability"
• Next in thread: Barry K. Nathan: "Re: slocate vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]