Hmmmmmm, locate. Long filenames affect locate on all platforms. One of the places where I contract uses locate regularly on SunOS, AIX, Solaris and HP/UX. On most if not all of those platforms, locate seg faults on large file names. -Jon me ---> () () <-- Gale _[]_._)(_ /^\/ | | \/^\ So what? ASCII can't do my car justice. |*|| | O | ||*| Jonathan Katz, CEO CPIO Networks, Inc. [o]| | o | |[o] (408) 569-7092 [ ] jkatzat_private \_/ \---------/ \_/ http://www.cpio.net [ ] "offering OpenBSD <|=| -[58vette]- |=|> technical support, on-site Unix and |=| |=| network security services and training." On Sat, 19 Sep 1998, Crispin Cowan wrote: :Date: Sat, 19 Sep 1998 19:14:06 -0700 :From: Crispin Cowan <crispinat_private> :To: BUGTRAQat_private :Subject: Re: BASH buffer overflow, LiNUX x86 exploit : :While experimentin with MiG's exploit, I've discovered another ramification of this form of :vulnerability: the locate facility. If you leave the huge directory tree that this exploit :builds lying around over night, and you have locate installed in your crontab (default in Red :Hat Linux) then it builds a locate database entry that causes the locate command to seg fault. :Result: if root uses locate to find something (very common while sysadmin is trying to :fix/find something) then the attacker may get root privs via the locate command. : :Related question: I have been unable to get MiG's exploit to work. I have RH 5.1 installed, :but I made sure to get bash 1.14.7(1) to test it. It builds the big nasty directory tree, but :cd'ing to it as instructed just produces a seg fault.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:10 PDT