Re: slocate vulnerability

I as well was playing around with this and am getting the same results 
you are.

~!>D

Adam Gilmore wrote:

> Below is an advisory on a buffer overflow in slocate 2.6.1.  I can’t
> replicate the same error in gdb as the advisory and I don’t believe it’s
> a buffer overflow at all.
>
> (gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x
> 1024"`
> Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print
> 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
> warning: slocate: decode_db(): : No such file or directory
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x40079527 in vfprintf () from /lib/libc.so.6
> (gdb) bt
> #0  0x40079527 in vfprintf () from /lib/libc.so.6
> #1  0x4009ab43 in vsnprintf () from /lib/libc.so.6
> #2  0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s:
> decode_db(): %s: %s\n") at misc.c:149
> #3  0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>,
> str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164
> #4  0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549
> #5  0x4003e280 in __libc_start_main () from /lib/libc.so.6
>
> As far as I can see, the error is because the function report_error is
> parsed the pointer database which is 0x19 (probably because the program
> couldn’t get the config file or what not parsed with –c).
>
> Anyone care to shed some light on the situation?
>
>
> __________________________________________________ 
>
> USG Security Advisory 
> http://www.usg.org.uk/advisories/2003.001.txt 
> inkubus@xxxxxxxxxxxx 
> USG- SA- 2003.001 24- Jan- 2003 
> __________________________________________________ 
>
> Package: slocate 
> Vulnerability: local buffer overflow 
> Type: local 
> Risk: high, users can gain high privileges in the system. 
> System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM 
> Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman 
>
> Description: 
> Accordingly to research done by USG team members and Knight420 who
> informed us 
> about this vulnerability a week earlier, there is a local buffer
> overflow in th
> e slocate package 
> shipped with the most newer RedHat distributions, we have tested the
> vulnerabil
> ity only in RedHat 
> Linux 7.2 and 7.3 but we think that other Linux/*nix systems that
> provide sloca
> te package may be 
> vulnerable too. 
> The overflow appears when the slocate is  runned with two parameters: -c
> and -r
> , using as arguments a 
> 1024 (or 10240, as Knight420 has informed us earlier) bytes string. 
> [inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate
>
> slocate-2.6-1 
> -rwxr-sr-x    1 root     slocate     25020 Jun 25  2001 /usr/bin/slocate
>
> [inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
> `perl 
> -e "print 'A' x 1024"` 
> Segmentation fault 
> [inkubus@USG audit]$ gdb /usr/bin/slocate 
> GNU gdb Red Hat Linux (5.1.90CVS-5) 
> Copyright 2002 Free Software Foundation, Inc. 
> GDB is free software, covered by the GNU General Public License, and you
> are 
> welcome to change it and/or distribute copies of it under certain
> conditions. 
> Type "show copying" to see the conditions. 
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details. 
> This GDB was configured as "i386-redhat-linux"...(no debugging symbols
> found)..
> . 
> (gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` 
> Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
> `perl -e 
> "print 'A' x 1024"` 
> warning: slocate: could not open database: /var/lib/slocate/slocate.db:
> Permiss
> ion denied 
> warning: You need to run the 'updatedb' command (as root) to create the
> databas
> e. 
> warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No
> such fi
> le or directory 
> warning: You need to run the 'updatedb' command (as root) to create the
> databas
> e. 
> (no debugging symbols found)...(no debugging symbols found)...(no
> debugging sym
> bols found)... 
> Program received signal SIGSEGV, Segmentation fault. 
> 0x42080b1b in strlen () from /lib/i686/libc.so.6 
> (gdb) 
>
> The exploitation is trivial, we have coded already a POC exploit that
> will be p
> ublished to the bugtraq 
> next days. 
> The author has been notified via: klindsay@xxxxxxxxxxxxxx 
>
> ------------------------------------------------------------------- 
> inkubus@xxxxxxxxxxxx 
> Resistance is futile, you will be assimilated. 
> ------------------------------------------------------------------- 
> EOF 
>
>
>
>
>
>
>
>  


--
------------------------------------------
     http://www.angrypacket.com
      Christopher M Downs,RHCE
      cdowns@xxxxxxxxxxxxxxx
        
  char ash[]="\x48\x61\x69\x6C\x20"
  "\x74\x6F\x20\x74\x68\x65\x20\x4B"
  "\x69\x6E\x67";
-------------------------------------------