Re: Locate overflow / Promiscuous mode / Posting tips

From: Crispin Cowan (crispinat_private)
Date: Sun Sep 20 1998 - 11:06:37 PDT

Next message: HD Moore: "NBA 4.9 Allows Shell Access"

Previous message: J. Joseph Max Katz: "Re: BASH buffer overflow, LiNUX x86 exploit"
Maybe in reply to: David J. Meltzer: "Locate overflow / Promiscuous mode / Posting tips"
Next in thread: Wolfram Schneider: "Re: Locate overflow / Promiscuous mode / Posting tips"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David J. Meltzer wrote:

> The overflow in locate was reported to bugtraq at least on 3/6/98 by
> Michal Zalewski (http://www.geek-girl.com/bugtraq/1998_1/0351.html).

Thanks for the reference.  And your point about researching before posting is
well-taken, so I did some this time.

There have been several vulnerabities associated with locate:

   * It reads everyone's private files, so you can see their file names.  Fixed
     long ago.
   * There is a racecondition in updatedb that allows the attacker to corrupt
     the /var/lib/locatedb file.  The primary vulnerability allowed you to trick
     updatedb into creating a world-writable root-owned file.  However, it also
     allowed you to corrupt the locatedb file by filling it with junk, causing a
     seg fault in the locate command.

The vulnerability I reported is new:  you create a completely legitimate (if
rather pathological) directory tree, and wait for the updatedb program to index
it.  The updatedb runs to completion, is not interfered with, and has produced a
perfectly legitimate locatedb file, save that one of it's entries is very
large.  Only the locate command is affected, which seg faults when run against
this locatedb file.

I call this vulnerability "new" because the previous vulnerability (presumably)
has been fixed, and my locate 4.1 is still vulnerable to this problem.

Work-around:  don't run 'locate' as root.  Instead, use a lower-privilige shell
when trying to locate things.

StackGuard:  Unfortunately, it appears that the overflows in bash and locate are
unaffected by StackGuard protection.  Without looking at the source, I'm
guessing that the buffers that are being overflowed are heap buffers.
StackGuard IS effective in protecting tcsh from this attack:  tcsh dies with a
stackguard warning when it tries to cd into MiG's pathological directory tree.

Anyone have a long-path exploit for tcsh handy?  I have not been able to find
one.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98

Next message: HD Moore: "NBA 4.9 Allows Shell Access"
Previous message: J. Joseph Max Katz: "Re: BASH buffer overflow, LiNUX x86 exploit"
Maybe in reply to: David J. Meltzer: "Locate overflow / Promiscuous mode / Posting tips"
Next in thread: Wolfram Schneider: "Re: Locate overflow / Promiscuous mode / Posting tips"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:11 PDT