RE: slocate bug.

From: John Adair (J.Adairat_private)
Date: Fri Feb 15 2002 - 06:21:37 PST

Next message: Alla Bezroutchko: "Possible IDS-evasion technique"

Previous message: Leandro Malaquias: "SNMP"
In reply to: KF: "Re: slocate bug."
Next in thread: jayteeat_private: "Re: slocate bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just thought I would share some information. The /usr/bin/slocate binary
is setgid slocate on Cobalt's Cube III. I have not found this to be
exploitable on Cobalt's Cube III.

[root /root]# slocate --version
Secure Locate v2.4 - Released November 28, 2000
[root /root]# uname -a
Linux Cobalt 2.2.16C32_III #1 Fri Nov 9 21:54:54 PST 2001 i586 unknown
[root /root]# ls -al /usr/bin/slocate
-rwxr-sr-x   1 root     slocate     20880 Dec 18  2000 /usr/bin/slocate*
[root /root]# gdb slocate
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) run -r `perl -e 'print "A" x 65026'`
Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'`

Program received signal SIGSEGV, Segmentation fault.
0x40078487 in memcpy (dstpp=0x0, srcpp=0x400ffb44, len=27) at
../sysdeps/generic/memcpy.c:55
55      ../sysdeps/generic/memcpy.c: No such file or directory.
(gdb) backtrace
#0  0x40078487 in memcpy (dstpp=0x0, srcpp=0x400ffb44, len=27) at
../sysdeps/generic/memcpy.c:55
#1  0x400b563b in __regerror (errcode=15, preg=0x805fbb0, errbuf=0x0,
errbuf_size=1024) at regex.c:5849
#2  0x804a8d0 in read ()
#3  0x804b13c in read ()
#4  0x400309cb in __libc_start_main (main=0x804ae00 <read+7976>, argc=3,
argv=0xbffefe04, init=0x8048b68,
    fini=0x804b84c <read+10612>, rtld_fini=0x4000ae60 <_dl_fini>,
stack_end=0xbffefdfc) at ../sysdeps/generic/libc-start.c:92
(gdb) info registers
eax            0x1b     27
ecx            0x6      6
edx            0x0      0
ebx            0x401081cc       1074823628
esp            0xbffefb8c       -1073808500
ebp            0xbffefb94       -1073808492
esi            0x400ffb44       1074789188
edi            0x0      0
eip            0x40078487       1074234503
eflags         0x10217  66071
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0xffffffff       -1
fip            0x4004c7e4       1074055140
fcs            0x77d0023        125632547
fopo           0xbffffc54       -1073742764
fos            0xffff002b       -65493

- - -
Opinions expressed do not necessarily represent the views of my employer.

This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay.  Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.

Ehud Tenenbaum wrote:
> >
> > Hey,
> >
> > Its a good time to announce that 2xs security LTD. decided to
> > create a research team in order to focus on finding new bugs,
> > further more we managed to develop a security tool to discover
> > bugs/security flaws. In the near future, the tool itself will became
> > an open source project.
> >
> > slocate (Secure locate) coming with the default
> installation in redhat
> > linux suid to slocate.
> >
> > bash-2.05$ ls -al /usr/bin/slocate
> > -rwxr-sr-x    1 root     slocate     20880 dec 18  2000
> /usr/bin/slocate
> >
> > bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
> > Segmentation fault
> >
> > bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
> > [...] no segfault [...]
> >
> > We found non exploitble bug which pointed out by KoSak
> (Cabezon Aurilien
> > aurelien.cabezonat_private)
> >
> > the segfault is due to a null pointer,
> > because regcomp() will return 0 when the buffer is bigger
> > than 65028 bytes -> then, regerr() will be called but the
> > programmer forgot to allocate his errbuf variable,
> > so it is called with errbuf=NULL. (See line 1193, main.c).
> >
> > should anyone have questions or comments you can email us:
> >
> > analyzerat_private
> > izikat_private
> > mixterat_private
> >
> > --
> > ------------
> > Ehud Tenenbaum
> > C.T.O & Project Manager
> > 2xs LTD.
> > Tel: 972-9-9519980
> > Fax: 972-9-9519982
> > E-Mail: ehudat_private
> > ------------
> >                                  Have A Safe Day
>

Next message: Alla Bezroutchko: "Possible IDS-evasion technique"
Previous message: Leandro Malaquias: "SNMP"
In reply to: KF: "Re: slocate bug."
Next in thread: jayteeat_private: "Re: slocate bug."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 11:41:35 PST