Hey, Its a good time to announce that 2xs security LTD. decided to create a research team in order to focus on finding new bugs, further more we managed to develop a security tool to discover bugs/security flaws. In the near future, the tool itself will became an open source project. slocate (Secure locate) coming with the default installation in redhat linux suid to slocate. bash-2.05$ ls -al /usr/bin/slocate -rwxr-sr-x 1 root slocate 20880 dec 18 2000 /usr/bin/slocate bash-2.05$ slocate -r `perl -e 'print "A" x 65026'` Segmentation fault bash-2.05$ slocate -r `perl -e 'print "A" x 65025'` [...] no segfault [...] We found non exploitble bug which pointed out by KoSak (Cabezon Aurélien aurelien.cabezonat_private) the segfault is due to a null pointer, because regcomp() will return 0 when the buffer is bigger than 65028 bytes -> then, regerr() will be called but the programmer forgot to allocate his errbuf variable, so it is called with errbuf=NULL. (See line 1193, main.c). should anyone have questions or comments you can email us: analyzerat_private izikat_private mixterat_private -- ------------ Ehud Tenenbaum C.T.O & Project Manager 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 E-Mail: ehudat_private ------------ Have A Safe Day
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 08:17:31 PST