Re: slocate bug.

From: jayteeat_private
Date: Thu Feb 14 2002 - 13:49:11 PST

Next message: Michael Dana-TM: "RE: Exploiting SNMP?"

Previous message: KF: "Re: Seeking PROTOS tool details"
Maybe in reply to: Ehud Tenenbaum: "slocate bug."
Next in thread: Wodahs Latigid: "Re: slocate bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Same error on RedHat 7.2 kernel 2.4.17


> Heres the details on Mandrake Linux 
> 
> [elguapo@linux elguapo]$ ls -al `which slocate`
> -rwxr-sr-x    2 root     slocate     24956 Apr  6  2001
> /usr/bin/slocate*
> [elguapo@linux elguapo]$ uname -a
> Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686
> unknown
> [elguapo@linux elguapo]$ cat /etc/redhat-release
> Linux Mandrake release 8.0 (Traktopel) for i586
> [elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'`
> Segmentation fault
> 
> (gdb) r -r `perl -e 'print "A" x 65026'`
> Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'`
> (no debugging symbols found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x400eeb69 in regerror () from /lib/libc.so.6
> (gdb) bt
> #0  0x400eeb69 in regerror () from /lib/libc.so.6
> #1  0x0804aa99 in strcpy ()
> 
> gdb) i r
> eax            0x400    1024
> ecx            0xd      13
> edx            0x0      0
> ebx            0x40149f2c       1075093292
> esp            0xbffef8f0       0xbffef8f0
> ebp            0xbffef908       0xbffef908
> esi            0x40141304       1075057412
> edi            0x0      0
> eip            0x400eeb69       0x400eeb69
> 
> -KF
> Ehud Tenenbaum wrote:
> > 
> > Hey,
> > 
> > Its a good time to announce that 2xs security LTD. decided to
> > create a research team in order to focus on finding new bugs,
> > further more we managed to develop a security tool to discover
> > bugs/security flaws. In the near future, the tool itself will became
> > an open source project.
> > 
> > slocate (Secure locate) coming with the default installation in
redhat
> > linux suid to slocate.
> > 
> > bash-2.05$ ls -al /usr/bin/slocate
> > -rwxr-sr-x    1 root     slocate     20880 dec 18  2000
/usr/bin/slocate
> > 
> > bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
> > Segmentation fault
> > 
> > bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
> > [...] no segfault [...]
> > 
> > We found non exploitble bug which pointed out by KoSak (Cabezon
Aurilien
> > aurelien.cabezonat_private)
> > 
> > the segfault is due to a null pointer,
> > because regcomp() will return 0 when the buffer is bigger
> > than 65028 bytes -> then, regerr() will be called but the
> > programmer forgot to allocate his errbuf variable,
> > so it is called with errbuf=NULL. (See line 1193, main.c).
> > 
> > should anyone have questions or comments you can email us:
> > 
> > analyzerat_private
> > izikat_private
> > mixterat_private
> > 
> > --
> > ------------
> > Ehud Tenenbaum
> > C.T.O & Project Manager
> > 2xs LTD.
> > Tel: 972-9-9519980
> > Fax: 972-9-9519982
> > E-Mail: ehudat_private
> > ------------
> >                                  Have A Safe Day
> 



--
Prendi GRATIS l'email universale che... risparmia: http://www.email.it/f

Sponsor:
Obiettivo Laurea? vuoi migliorare il tuo metodo di studio? 
Per informazioni
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=213&d=14-2

Next message: Michael Dana-TM: "RE: Exploiting SNMP?"
Previous message: KF: "Re: Seeking PROTOS tool details"
Maybe in reply to: Ehud Tenenbaum: "slocate bug."
Next in thread: Wodahs Latigid: "Re: slocate bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 16:28:06 PST