Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[USG- SA- 2003.001] USG Security Advisory (slocate)

From: inkubus () hushmail com
Date: Fri, 24 Jan 2003 07:27:27 -0800

-----BEGIN PGP SIGNED MESSAGE-----

__________________________________________________

USG Security Advisory
http://www.usg.org.uk/advisories/2003.001.txt
inkubus () hushmail com
USG- SA- 2003.001 24- Jan- 2003
__________________________________________________

Package: slocate
Vulnerability: local buffer overflow
Type: local
Risk: high, users can gain high privileges in the system.
System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM
Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman

Description:
Accordingly to research done by USG team members and Knight420 who informed us about this vulnerability a week earlier, 
there is a local buffer overflow in the slocate package shipped with the most newer RedHat distributions, we have 
tested the vulnerability only in RedHat
Linux 7.2 and 7.3 but we think that other Linux/*nix systems that provide slocate package may be vulnerable too.
The overflow appears when the slocate is  runned with two parameters: -c and -r, using as arguments a
1024 (or 10240, as Knight420 has informed us earlier) bytes string.
[inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate
slocate-2.6-1
- -rwxr-sr-x    1 root     slocate     25020 Jun 25  2001 /usr/bin/slocate
[inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
Segmentation fault
[inkubus@USG audit]$ gdb /usr/bin/slocate
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
(gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
warning: slocate: could not open database: /var/lib/slocate/slocate.db: Permission denied
warning: You need to run the 'updatedb' command (as root) to create the database.
warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No such file or directory
warning: You need to run the 'updatedb' command (as root) to create the database.
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x42080b1b in strlen () from /lib/i686/libc.so.6
(gdb)

The exploitation is trivial, we have coded already a POC exploit that will be published to the bugtraq next days.
The author has been notified via: klindsay () mkintraweb com

- -------------------------------------------------------------------
inkubus () hushmail com
Resistance is futile, you will be assimilated.
- -------------------------------------------------------------------
EOF
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4xWyAVHGlua3VidXNAaHVzaG1haWwuY29tAAoJEMbSI7uQOmRNBfUA
n3Pl47u652dkpjZHqEefppWaPGwtAJ4kn6cTWwPLmNxLL1Ai8Hb3SVy0Rg==
=M12Y
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: