Same error on RedHat 7.2 kernel 2.4.17 > Heres the details on Mandrake Linux > > [elguapo@linux elguapo]$ ls -al `which slocate` > -rwxr-sr-x 2 root slocate 24956 Apr 6 2001 > /usr/bin/slocate* > [elguapo@linux elguapo]$ uname -a > Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 > unknown > [elguapo@linux elguapo]$ cat /etc/redhat-release > Linux Mandrake release 8.0 (Traktopel) for i586 > [elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'` > Segmentation fault > > (gdb) r -r `perl -e 'print "A" x 65026'` > Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'` > (no debugging symbols found)... > Program received signal SIGSEGV, Segmentation fault. > 0x400eeb69 in regerror () from /lib/libc.so.6 > (gdb) bt > #0 0x400eeb69 in regerror () from /lib/libc.so.6 > #1 0x0804aa99 in strcpy () > > gdb) i r > eax 0x400 1024 > ecx 0xd 13 > edx 0x0 0 > ebx 0x40149f2c 1075093292 > esp 0xbffef8f0 0xbffef8f0 > ebp 0xbffef908 0xbffef908 > esi 0x40141304 1075057412 > edi 0x0 0 > eip 0x400eeb69 0x400eeb69 > > -KF > Ehud Tenenbaum wrote: > > > > Hey, > > > > Its a good time to announce that 2xs security LTD. decided to > > create a research team in order to focus on finding new bugs, > > further more we managed to develop a security tool to discover > > bugs/security flaws. In the near future, the tool itself will became > > an open source project. > > > > slocate (Secure locate) coming with the default installation in redhat > > linux suid to slocate. > > > > bash-2.05$ ls -al /usr/bin/slocate > > -rwxr-sr-x 1 root slocate 20880 dec 18 2000 /usr/bin/slocate > > > > bash-2.05$ slocate -r `perl -e 'print "A" x 65026'` > > Segmentation fault > > > > bash-2.05$ slocate -r `perl -e 'print "A" x 65025'` > > [...] no segfault [...] > > > > We found non exploitble bug which pointed out by KoSak (Cabezon Aurilien > > aurelien.cabezonat_private) > > > > the segfault is due to a null pointer, > > because regcomp() will return 0 when the buffer is bigger > > than 65028 bytes -> then, regerr() will be called but the > > programmer forgot to allocate his errbuf variable, > > so it is called with errbuf=NULL. (See line 1193, main.c). > > > > should anyone have questions or comments you can email us: > > > > analyzerat_private > > izikat_private > > mixterat_private > > > > -- > > ------------ > > Ehud Tenenbaum > > C.T.O & Project Manager > > 2xs LTD. > > Tel: 972-9-9519980 > > Fax: 972-9-9519982 > > E-Mail: ehudat_private > > ------------ > > Have A Safe Day > -- Prendi GRATIS l'email universale che... risparmia: http://www.email.it/f Sponsor: Obiettivo Laurea? vuoi migliorare il tuo metodo di studio? Per informazioni Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=213&d=14-2
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 16:28:06 PST