I as well was playing around with this and am getting the same results you are. ~!>D Adam Gilmore wrote: >Below is an advisory on a buffer overflow in slocate 2.6.1. I can’t >replicate the same error in gdb as the advisory and I don’t believe it’s >a buffer overflow at all. > >(gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x >1024"` >Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print >'A' x 1024"` -r `perl -e "print 'A' x 1024"` >warning: slocate: decode_db(): : No such file or directory > >Program received signal SIGSEGV, Segmentation fault. >0x40079527 in vfprintf () from /lib/libc.so.6 >(gdb) bt >#0 0x40079527 in vfprintf () from /lib/libc.so.6 >#1 0x4009ab43 in vsnprintf () from /lib/libc.so.6 >#2 0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s: >decode_db(): %s: %s\n") at misc.c:149 >#3 0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>, >str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164 >#4 0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549 >#5 0x4003e280 in __libc_start_main () from /lib/libc.so.6 > >As far as I can see, the error is because the function report_error is >parsed the pointer database which is 0x19 (probably because the program >couldn’t get the config file or what not parsed with –c). > >Anyone care to shed some light on the situation? > > >__________________________________________________ > >USG Security Advisory >http://www.usg.org.uk/advisories/2003.001.txt >inkubusat_private >USG- SA- 2003.001 24- Jan- 2003 >__________________________________________________ > >Package: slocate >Vulnerability: local buffer overflow >Type: local >Risk: high, users can gain high privileges in the system. >System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM >Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman > >Description: >Accordingly to research done by USG team members and Knight420 who >informed us >about this vulnerability a week earlier, there is a local buffer >overflow in th >e slocate package >shipped with the most newer RedHat distributions, we have tested the >vulnerabil >ity only in RedHat >Linux 7.2 and 7.3 but we think that other Linux/*nix systems that >provide sloca >te package may be >vulnerable too. >The overflow appears when the slocate is runned with two parameters: -c >and -r >, using as arguments a >1024 (or 10240, as Knight420 has informed us earlier) bytes string. >[inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate > >slocate-2.6-1 >-rwxr-sr-x 1 root slocate 25020 Jun 25 2001 /usr/bin/slocate > >[inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r >`perl >-e "print 'A' x 1024"` >Segmentation fault >[inkubus@USG audit]$ gdb /usr/bin/slocate >GNU gdb Red Hat Linux (5.1.90CVS-5) >Copyright 2002 Free Software Foundation, Inc. >GDB is free software, covered by the GNU General Public License, and you >are >welcome to change it and/or distribute copies of it under certain >conditions. >Type "show copying" to see the conditions. >There is absolutely no warranty for GDB. Type "show warranty" for >details. >This GDB was configured as "i386-redhat-linux"...(no debugging symbols >found).. >. >(gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` >Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r >`perl -e >"print 'A' x 1024"` >warning: slocate: could not open database: /var/lib/slocate/slocate.db: >Permiss >ion denied >warning: You need to run the 'updatedb' command (as root) to create the >databas >e. >warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No >such fi >le or directory >warning: You need to run the 'updatedb' command (as root) to create the >databas >e. >(no debugging symbols found)...(no debugging symbols found)...(no >debugging sym >bols found)... >Program received signal SIGSEGV, Segmentation fault. >0x42080b1b in strlen () from /lib/i686/libc.so.6 >(gdb) > >The exploitation is trivial, we have coded already a POC exploit that >will be p >ublished to the bugtraq >next days. >The author has been notified via: klindsayat_private > >------------------------------------------------------------------- >inkubusat_private >Resistance is futile, you will be assimilated. >------------------------------------------------------------------- >EOF > > > > > > > > > -- ------------------------------------------ http://www.angrypacket.com Christopher M Downs,RHCE cdownsat_private char ash[]="\x48\x61\x69\x6C\x20" "\x74\x6F\x20\x74\x68\x65\x20\x4B" "\x69\x6E\x67"; -------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 14:31:26 PST