Re: slocate vulnerability

From: cdowns (cdownsat_private)
Date: Wed Jan 29 2003 - 11:49:48 PST

Next message: j0ker: "Re: slocate vulnerability"

Previous message: Adam Gilmore: "slocate vulnerability"
In reply to: Adam Gilmore: "slocate vulnerability"
Next in thread: j0ker: "Re: slocate vulnerability"
Reply: j0ker: "Re: slocate vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I as well was playing around with this and am getting the same results 
you are.

~!>D

Adam Gilmore wrote:

>Below is an advisory on a buffer overflow in slocate 2.6.1.  I can’t
>replicate the same error in gdb as the advisory and I don’t believe it’s
>a buffer overflow at all.
> 
>(gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x
>1024"`
>Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print
>'A' x 1024"` -r `perl -e "print 'A' x 1024"`
>warning: slocate: decode_db(): : No such file or directory
> 
>Program received signal SIGSEGV, Segmentation fault.
>0x40079527 in vfprintf () from /lib/libc.so.6
>(gdb) bt
>#0  0x40079527 in vfprintf () from /lib/libc.so.6
>#1  0x4009ab43 in vsnprintf () from /lib/libc.so.6
>#2  0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s:
>decode_db(): %s: %s\n") at misc.c:149
>#3  0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>,
>str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164
>#4  0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549
>#5  0x4003e280 in __libc_start_main () from /lib/libc.so.6
> 
>As far as I can see, the error is because the function report_error is
>parsed the pointer database which is 0x19 (probably because the program
>couldn’t get the config file or what not parsed with –c).
> 
>Anyone care to shed some light on the situation?
> 
> 
>__________________________________________________ 
> 
>USG Security Advisory 
>http://www.usg.org.uk/advisories/2003.001.txt 
>inkubusat_private 
>USG- SA- 2003.001 24- Jan- 2003 
>__________________________________________________ 
> 
>Package: slocate 
>Vulnerability: local buffer overflow 
>Type: local 
>Risk: high, users can gain high privileges in the system. 
>System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM 
>Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman 
> 
>Description: 
>Accordingly to research done by USG team members and Knight420 who
>informed us 
>about this vulnerability a week earlier, there is a local buffer
>overflow in th
>e slocate package 
>shipped with the most newer RedHat distributions, we have tested the
>vulnerabil
>ity only in RedHat 
>Linux 7.2 and 7.3 but we think that other Linux/*nix systems that
>provide sloca
>te package may be 
>vulnerable too. 
>The overflow appears when the slocate is  runned with two parameters: -c
>and -r
>, using as arguments a 
>1024 (or 10240, as Knight420 has informed us earlier) bytes string. 
>[inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate
>
>slocate-2.6-1 
>-rwxr-sr-x    1 root     slocate     25020 Jun 25  2001 /usr/bin/slocate
>
>[inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
>`perl 
>-e "print 'A' x 1024"` 
>Segmentation fault 
>[inkubus@USG audit]$ gdb /usr/bin/slocate 
>GNU gdb Red Hat Linux (5.1.90CVS-5) 
>Copyright 2002 Free Software Foundation, Inc. 
>GDB is free software, covered by the GNU General Public License, and you
>are 
>welcome to change it and/or distribute copies of it under certain
>conditions. 
>Type "show copying" to see the conditions. 
>There is absolutely no warranty for GDB.  Type "show warranty" for
>details. 
>This GDB was configured as "i386-redhat-linux"...(no debugging symbols
>found)..
>. 
>(gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` 
>Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
>`perl -e 
>"print 'A' x 1024"` 
>warning: slocate: could not open database: /var/lib/slocate/slocate.db:
>Permiss
>ion denied 
>warning: You need to run the 'updatedb' command (as root) to create the
>databas
>e. 
>warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No
>such fi
>le or directory 
>warning: You need to run the 'updatedb' command (as root) to create the
>databas
>e. 
>(no debugging symbols found)...(no debugging symbols found)...(no
>debugging sym
>bols found)... 
>Program received signal SIGSEGV, Segmentation fault. 
>0x42080b1b in strlen () from /lib/i686/libc.so.6 
>(gdb) 
> 
>The exploitation is trivial, we have coded already a POC exploit that
>will be p
>ublished to the bugtraq 
>next days. 
>The author has been notified via: klindsayat_private 
> 
>------------------------------------------------------------------- 
>inkubusat_private 
>Resistance is futile, you will be assimilated. 
>------------------------------------------------------------------- 
>EOF 
> 
> 
> 
>
>
>
>
>  
>


-- 
------------------------------------------
      http://www.angrypacket.com
       Christopher M Downs,RHCE
       cdownsat_private
	
   char ash[]="\x48\x61\x69\x6C\x20"
   "\x74\x6F\x20\x74\x68\x65\x20\x4B"
   "\x69\x6E\x67";
-------------------------------------------

Next message: j0ker: "Re: slocate vulnerability"
Previous message: Adam Gilmore: "slocate vulnerability"
In reply to: Adam Gilmore: "slocate vulnerability"
Next in thread: j0ker: "Re: slocate vulnerability"
Reply: j0ker: "Re: slocate vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 14:31:26 PST