Re: slocate bug.

From: KF (dotslashat_private)
Date: Thu Feb 14 2002 - 08:39:17 PST

Next message: foobat_private: "Exploiting SNMP?"

Previous message: Kayne Ian (Softlab): "OT, Is this suspicious to you too? (was FW: Graduate Student Surv ey)"
In reply to: Ehud Tenenbaum: "slocate bug."
Next in thread: Rodrigo Barbosa: "Re: slocate bug."
Next in thread: jayteeat_private: "Re: slocate bug."
Reply: Rodrigo Barbosa: "Re: slocate bug."
Reply: John Adair: "RE: slocate bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Heres the details on Mandrake Linux 

[elguapo@linux elguapo]$ ls -al `which slocate`
-rwxr-sr-x    2 root     slocate     24956 Apr  6  2001
/usr/bin/slocate*
[elguapo@linux elguapo]$ uname -a
Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686
unknown
[elguapo@linux elguapo]$ cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for i586
[elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'`
Segmentation fault

(gdb) r -r `perl -e 'print "A" x 65026'`
Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'`
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x400eeb69 in regerror () from /lib/libc.so.6
(gdb) bt
#0  0x400eeb69 in regerror () from /lib/libc.so.6
#1  0x0804aa99 in strcpy ()

gdb) i r
eax            0x400    1024
ecx            0xd      13
edx            0x0      0
ebx            0x40149f2c       1075093292
esp            0xbffef8f0       0xbffef8f0
ebp            0xbffef908       0xbffef908
esi            0x40141304       1075057412
edi            0x0      0
eip            0x400eeb69       0x400eeb69

-KF
Ehud Tenenbaum wrote:
> 
> Hey,
> 
> Its a good time to announce that 2xs security LTD. decided to
> create a research team in order to focus on finding new bugs,
> further more we managed to develop a security tool to discover
> bugs/security flaws. In the near future, the tool itself will became
> an open source project.
> 
> slocate (Secure locate) coming with the default installation in redhat
> linux suid to slocate.
> 
> bash-2.05$ ls -al /usr/bin/slocate
> -rwxr-sr-x    1 root     slocate     20880 dec 18  2000 /usr/bin/slocate
> 
> bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
> Segmentation fault
> 
> bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
> [...] no segfault [...]
> 
> We found non exploitble bug which pointed out by KoSak (Cabezon Aurilien
> aurelien.cabezonat_private)
> 
> the segfault is due to a null pointer,
> because regcomp() will return 0 when the buffer is bigger
> than 65028 bytes -> then, regerr() will be called but the
> programmer forgot to allocate his errbuf variable,
> so it is called with errbuf=NULL. (See line 1193, main.c).
> 
> should anyone have questions or comments you can email us:
> 
> analyzerat_private
> izikat_private
> mixterat_private
> 
> --
> ------------
> Ehud Tenenbaum
> C.T.O & Project Manager
> 2xs LTD.
> Tel: 972-9-9519980
> Fax: 972-9-9519982
> E-Mail: ehudat_private
> ------------
>                                  Have A Safe Day

Next message: foobat_private: "Exploiting SNMP?"
Previous message: Kayne Ian (Softlab): "OT, Is this suspicious to you too? (was FW: Graduate Student Surv ey)"
In reply to: Ehud Tenenbaum: "slocate bug."
Next in thread: Rodrigo Barbosa: "Re: slocate bug."
Next in thread: jayteeat_private: "Re: slocate bug."
Reply: Rodrigo Barbosa: "Re: slocate bug."
Reply: John Adair: "RE: slocate bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 13:36:49 PST