I was worried I was the only one, but don't have enough experiance to write here and be the first to say. In fact, I have found that using slocate -c something -r something ALWAYS yields a Segmentation Fault in version 2.6 on my box at least. -- j0ker cdowns wrote: > I as well was playing around with this and am getting the same results > you are. > > ~!>D > > Adam Gilmore wrote: > >> Below is an advisory on a buffer overflow in slocate 2.6.1. I can’t >> replicate the same error in gdb as the advisory and I don’t believe it’s >> a buffer overflow at all. >> >> (gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x >> 1024"` >> Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print >> 'A' x 1024"` -r `perl -e "print 'A' x 1024"` >> warning: slocate: decode_db(): : No such file or directory >> >> Program received signal SIGSEGV, Segmentation fault. >> 0x40079527 in vfprintf () from /lib/libc.so.6 >> (gdb) bt >> #0 0x40079527 in vfprintf () from /lib/libc.so.6 >> #1 0x4009ab43 in vsnprintf () from /lib/libc.so.6 >> #2 0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s: >> decode_db(): %s: %s\n") at misc.c:149 >> #3 0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>, >> str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164 >> #4 0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549 >> #5 0x4003e280 in __libc_start_main () from /lib/libc.so.6 >> >> As far as I can see, the error is because the function report_error is >> parsed the pointer database which is 0x19 (probably because the program >> couldn’t get the config file or what not parsed with –c). >> >> Anyone care to shed some light on the situation? >> >> >> __________________________________________________ >> USG Security Advisory http://www.usg.org.uk/advisories/2003.001.txt >> inkubusat_private USG- SA- 2003.001 24- Jan- 2003 >> __________________________________________________ >> Package: slocate Vulnerability: local buffer overflow Type: local >> Risk: high, users can gain high privileges in the system. System >> tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM >> Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman >> Description: Accordingly to research done by USG team members and >> Knight420 who >> informed us about this vulnerability a week earlier, there is a local >> buffer >> overflow in th >> e slocate package shipped with the most newer RedHat distributions, >> we have tested the >> vulnerabil >> ity only in RedHat Linux 7.2 and 7.3 but we think that other >> Linux/*nix systems that >> provide sloca >> te package may be vulnerable too. The overflow appears when the >> slocate is runned with two parameters: -c >> and -r >> , using as arguments a 1024 (or 10240, as Knight420 has informed us >> earlier) bytes string. [inkubus@USG audit]$ rpm -qf /usr/bin/slocate >> && ls -al /usr/bin/slocate >> >> slocate-2.6-1 -rwxr-sr-x 1 root slocate 25020 Jun 25 2001 >> /usr/bin/slocate >> >> [inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r >> `perl -e "print 'A' x 1024"` Segmentation fault [inkubus@USG audit]$ >> gdb /usr/bin/slocate GNU gdb Red Hat Linux (5.1.90CVS-5) Copyright >> 2002 Free Software Foundation, Inc. GDB is free software, covered by >> the GNU General Public License, and you >> are welcome to change it and/or distribute copies of it under certain >> conditions. Type "show copying" to see the conditions. There is >> absolutely no warranty for GDB. Type "show warranty" for >> details. This GDB was configured as "i386-redhat-linux"...(no >> debugging symbols >> found).. >> . (gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x >> 1024"` Starting program: /usr/bin/slocate -c `perl -e "print 'A' x >> 1024"` -r >> `perl -e "print 'A' x 1024"` warning: slocate: could not open >> database: /var/lib/slocate/slocate.db: >> Permiss >> ion denied warning: You need to run the 'updatedb' command (as root) >> to create the >> databas >> e. warning: slocate: decode_db(): >> ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No >> such fi >> le or directory warning: You need to run the 'updatedb' command (as >> root) to create the >> databas >> e. (no debugging symbols found)...(no debugging symbols found)...(no >> debugging sym >> bols found)... Program received signal SIGSEGV, Segmentation fault. >> 0x42080b1b in strlen () from /lib/i686/libc.so.6 (gdb) >> The exploitation is trivial, we have coded already a POC exploit that >> will be p >> ublished to the bugtraq next days. The author has been notified via: >> klindsayat_private >> ------------------------------------------------------------------- >> inkubusat_private Resistance is futile, you will be assimilated. >> ------------------------------------------------------------------- EOF >> >
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:07:26 PST