I just thought I would share some information. The /usr/bin/slocate binary is setgid slocate on Cobalt's Cube III. I have not found this to be exploitable on Cobalt's Cube III. [root /root]# slocate --version Secure Locate v2.4 - Released November 28, 2000 [root /root]# uname -a Linux Cobalt 2.2.16C32_III #1 Fri Nov 9 21:54:54 PST 2001 i586 unknown [root /root]# ls -al /usr/bin/slocate -rwxr-sr-x 1 root slocate 20880 Dec 18 2000 /usr/bin/slocate* [root /root]# gdb slocate GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... (gdb) run -r `perl -e 'print "A" x 65026'` Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'` Program received signal SIGSEGV, Segmentation fault. 0x40078487 in memcpy (dstpp=0x0, srcpp=0x400ffb44, len=27) at ../sysdeps/generic/memcpy.c:55 55 ../sysdeps/generic/memcpy.c: No such file or directory. (gdb) backtrace #0 0x40078487 in memcpy (dstpp=0x0, srcpp=0x400ffb44, len=27) at ../sysdeps/generic/memcpy.c:55 #1 0x400b563b in __regerror (errcode=15, preg=0x805fbb0, errbuf=0x0, errbuf_size=1024) at regex.c:5849 #2 0x804a8d0 in read () #3 0x804b13c in read () #4 0x400309cb in __libc_start_main (main=0x804ae00 <read+7976>, argc=3, argv=0xbffefe04, init=0x8048b68, fini=0x804b84c <read+10612>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffefdfc) at ../sysdeps/generic/libc-start.c:92 (gdb) info registers eax 0x1b 27 ecx 0x6 6 edx 0x0 0 ebx 0x401081cc 1074823628 esp 0xbffefb8c -1073808500 ebp 0xbffefb94 -1073808492 esi 0x400ffb44 1074789188 edi 0x0 0 eip 0x40078487 1074234503 eflags 0x10217 66071 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 cwd 0xffff037f -64641 swd 0xffff0000 -65536 twd 0xffffffff -1 fip 0x4004c7e4 1074055140 fcs 0x77d0023 125632547 fopo 0xbffffc54 -1073742764 fos 0xffff002b -65493 - - - Opinions expressed do not necessarily represent the views of my employer. This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone, fax or e-mail to the sender without delay. Return this message or delete this message and any attachment from your system as per our request. If you are not the intended recipient you must not copy this message or attachments or disclose the contents to any other person. Ehud Tenenbaum wrote: > > > > Hey, > > > > Its a good time to announce that 2xs security LTD. decided to > > create a research team in order to focus on finding new bugs, > > further more we managed to develop a security tool to discover > > bugs/security flaws. In the near future, the tool itself will became > > an open source project. > > > > slocate (Secure locate) coming with the default > installation in redhat > > linux suid to slocate. > > > > bash-2.05$ ls -al /usr/bin/slocate > > -rwxr-sr-x 1 root slocate 20880 dec 18 2000 > /usr/bin/slocate > > > > bash-2.05$ slocate -r `perl -e 'print "A" x 65026'` > > Segmentation fault > > > > bash-2.05$ slocate -r `perl -e 'print "A" x 65025'` > > [...] no segfault [...] > > > > We found non exploitble bug which pointed out by KoSak > (Cabezon Aurilien > > aurelien.cabezonat_private) > > > > the segfault is due to a null pointer, > > because regcomp() will return 0 when the buffer is bigger > > than 65028 bytes -> then, regerr() will be called but the > > programmer forgot to allocate his errbuf variable, > > so it is called with errbuf=NULL. (See line 1193, main.c). > > > > should anyone have questions or comments you can email us: > > > > analyzerat_private > > izikat_private > > mixterat_private > > > > -- > > ------------ > > Ehud Tenenbaum > > C.T.O & Project Manager > > 2xs LTD. > > Tel: 972-9-9519980 > > Fax: 972-9-9519982 > > E-Mail: ehudat_private > > ------------ > > Have A Safe Day >
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 11:41:35 PST