Re: slocate vulnerability

From: Gregory Duchemin (c3rb3r@hotmail.com)
Date: 02/02/03

Next message: NetNinja: "Windows reverse Shell"

Previous message: Dave Aitel: "locator exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 2 Feb 2003 19:46:32 -0000
From: Gregory Duchemin <c3rb3r@hotmail.com>
To: vuln-dev@securityfocus.com

('binary' encoding is not supported, stored as-is) In-Reply-To: <001101c2c794$d8e308c0$fb3331d2@ADAM>

hello list
for the sole purpose of completness, another sig11 occurs when calling
slocate 2.6.1 with -r `perl -e "print stdout a x 655026"`, such a big
regex force regcomp (from gnu regex lib) to return an error code and
slocate to call regerror with errbuf as a third parameter. Because slocate
omits to malloc any memory to errbuf but claims it to have 1024 chars and
regerror doesn't check errbuf, regerror try to write at a null pointer and
simply crashes with a segmentation violation, but segfaults are not always
buffer overflows's symptoms, indeed the reason is precisely a lack of
buffer.
cheers.

Gregory

>
>Below is an advisory on a buffer overflow in slocate 2.6.1.=A0 I can=92t
>replicate the same error in gdb as the advisory and I don=92t believe =
>it=92s
>a buffer overflow at all.

Next message: NetNinja: "Windows reverse Shell"
Previous message: Dave Aitel: "locator exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]