Hmmmmmm, locate.
Long filenames affect locate on all platforms. One of the places
where I contract uses locate regularly on SunOS, AIX, Solaris and
HP/UX. On most if not all of those platforms, locate seg faults
on large file names.
-Jon
me ---> () () <-- Gale
_[]_._)(_
/^\/ | | \/^\ So what? ASCII can't do my car justice.
|*|| | O | ||*| Jonathan Katz, CEO CPIO Networks, Inc.
[o]| | o | |[o] (408) 569-7092 [ ] jkatzat_private
\_/ \---------/ \_/ http://www.cpio.net [ ] "offering OpenBSD
<|=| -[58vette]- |=|> technical support, on-site Unix and
|=| |=| network security services and training."
On Sat, 19 Sep 1998, Crispin Cowan wrote:
:Date: Sat, 19 Sep 1998 19:14:06 -0700
:From: Crispin Cowan <crispinat_private>
:To: BUGTRAQat_private
:Subject: Re: BASH buffer overflow, LiNUX x86 exploit
:
:While experimentin with MiG's exploit, I've discovered another
ramification of this form of
:vulnerability: the locate facility. If you leave the huge directory
tree that this exploit
:builds lying around over night, and you have locate installed in your
crontab (default in Red
:Hat Linux) then it builds a locate database entry that causes the
locate command to seg fault.
:Result: if root uses locate to find something (very common while
sysadmin is trying to
:fix/find something) then the attacker may get root privs via the locate
command.
:
:Related question: I have been unable to get MiG's exploit to work.
I have RH 5.1 installed,
:but I made sure to get bash 1.14.7(1) to test it. It builds the big
nasty directory tree, but
:cd'ing to it as instructed just produces a seg fault.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:10 PDT