Heres the details on Mandrake Linux [elguapo@linux elguapo]$ ls -al `which slocate` -rwxr-sr-x 2 root slocate 24956 Apr 6 2001 /usr/bin/slocate* [elguapo@linux elguapo]$ uname -a Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown [elguapo@linux elguapo]$ cat /etc/redhat-release Linux Mandrake release 8.0 (Traktopel) for i586 [elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'` Segmentation fault (gdb) r -r `perl -e 'print "A" x 65026'` Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'` (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x400eeb69 in regerror () from /lib/libc.so.6 (gdb) bt #0 0x400eeb69 in regerror () from /lib/libc.so.6 #1 0x0804aa99 in strcpy () gdb) i r eax 0x400 1024 ecx 0xd 13 edx 0x0 0 ebx 0x40149f2c 1075093292 esp 0xbffef8f0 0xbffef8f0 ebp 0xbffef908 0xbffef908 esi 0x40141304 1075057412 edi 0x0 0 eip 0x400eeb69 0x400eeb69 -KF Ehud Tenenbaum wrote: > > Hey, > > Its a good time to announce that 2xs security LTD. decided to > create a research team in order to focus on finding new bugs, > further more we managed to develop a security tool to discover > bugs/security flaws. In the near future, the tool itself will became > an open source project. > > slocate (Secure locate) coming with the default installation in redhat > linux suid to slocate. > > bash-2.05$ ls -al /usr/bin/slocate > -rwxr-sr-x 1 root slocate 20880 dec 18 2000 /usr/bin/slocate > > bash-2.05$ slocate -r `perl -e 'print "A" x 65026'` > Segmentation fault > > bash-2.05$ slocate -r `perl -e 'print "A" x 65025'` > [...] no segfault [...] > > We found non exploitble bug which pointed out by KoSak (Cabezon Aurilien > aurelien.cabezonat_private) > > the segfault is due to a null pointer, > because regcomp() will return 0 when the buffer is bigger > than 65028 bytes -> then, regerr() will be called but the > programmer forgot to allocate his errbuf variable, > so it is called with errbuf=NULL. (See line 1193, main.c). > > should anyone have questions or comments you can email us: > > analyzerat_private > izikat_private > mixterat_private > > -- > ------------ > Ehud Tenenbaum > C.T.O & Project Manager > 2xs LTD. > Tel: 972-9-9519980 > Fax: 972-9-9519982 > E-Mail: ehudat_private > ------------ > Have A Safe Day
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 13:36:49 PST