Re: slocate vulnerability

I was worried I was the only one, but don't have enough experiance to 
write here and be the first to say.  In fact, I have found that using 
slocate -c something -r something ALWAYS yields a Segmentation Fault in 
version 2.6 on my box at least.

-- j0ker


cdowns wrote:

> I as well was playing around with this and am getting the same results 
> you are.
>
> ~!>D
>
> Adam Gilmore wrote:
>
> > Below is an advisory on a buffer overflow in slocate 2.6.1.  I can’t
> > replicate the same error in gdb as the advisory and I don’t believe it’s
> > a buffer overflow at all.
> >
> > (gdb) run -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x
> > 1024"`
> > Starting program: /home/drg/sl/slocate-2.6/./slocate -c `perl -e "print
> > 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
> > warning: slocate: decode_db(): : No such file or directory
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x40079527 in vfprintf () from /lib/libc.so.6
> > (gdb) bt
> > #0  0x40079527 in vfprintf () from /lib/libc.so.6
> > #1  0x4009ab43 in vsnprintf () from /lib/libc.so.6
> > #2  0x0804bc06 in report_error (STATUS=0, QUIET=0, format=0x804bff5 "%s:
> > decode_db(): %s: %s\n") at misc.c:149
> > #3  0x0804aa3d in decode_db (database=0x19 <Address 0x19 out of bounds>,
> > str=0xbffff28e 'A' <repeats 200 times>...) at main.c:1164
> > #4  0x0804b70f in main (args=5, argv=0xbffff144) at main.c:1549
> > #5  0x4003e280 in __libc_start_main () from /lib/libc.so.6
> >
> > As far as I can see, the error is because the function report_error is
> > parsed the pointer database which is 0x19 (probably because the program
> > couldn’t get the config file or what not parsed with –c).
> >
> > Anyone care to shed some light on the situation?
> >
> >
> > __________________________________________________
> > USG Security Advisory http://www.usg.org.uk/advisories/2003.001.txt 
> > inkubus@xxxxxxxxxxxx USG- SA- 2003.001 24- Jan- 2003 
> > __________________________________________________
> > Package: slocate Vulnerability: local buffer overflow Type: local 
> > Risk: high, users can gain high privileges in the system. System 
> > tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM 
> > Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman
> > Description: Accordingly to research done by USG team members and 
> > Knight420 who
> > informed us about this vulnerability a week earlier, there is a local 
> > buffer
> > overflow in th
> > e slocate package shipped with the most newer RedHat distributions, 
> > we have tested the
> > vulnerabil
> > ity only in RedHat Linux 7.2 and 7.3 but we think that other 
> > Linux/*nix systems that
> > provide sloca
> > te package may be vulnerable too. The overflow appears when the 
> > slocate is  runned with two parameters: -c
> > and -r
> > , using as arguments a 1024 (or 10240, as Knight420 has informed us 
> > earlier) bytes string. [inkubus@USG audit]$ rpm -qf /usr/bin/slocate 
> > && ls -al /usr/bin/slocate
> >
> > slocate-2.6-1 -rwxr-sr-x    1 root     slocate     25020 Jun 25  2001 
> > /usr/bin/slocate
> >
> > [inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r
> > `perl -e "print 'A' x 1024"` Segmentation fault [inkubus@USG audit]$ 
> > gdb /usr/bin/slocate GNU gdb Red Hat Linux (5.1.90CVS-5) Copyright 
> > 2002 Free Software Foundation, Inc. GDB is free software, covered by 
> > the GNU General Public License, and you
> > are welcome to change it and/or distribute copies of it under certain
> > conditions. Type "show copying" to see the conditions. There is 
> > absolutely no warranty for GDB.  Type "show warranty" for
> > details. This GDB was configured as "i386-redhat-linux"...(no 
> > debugging symbols
> > found)..
> > . (gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 
> > 1024"` Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 
> > 1024"` -r
> > `perl -e "print 'A' x 1024"` warning: slocate: could not open 
> > database: /var/lib/slocate/slocate.db:
> > Permiss
> > ion denied warning: You need to run the 'updatedb' command (as root) 
> > to create the
> > databas
> > e. warning: slocate: decode_db(): 
> > ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No
> > such fi
> > le or directory warning: You need to run the 'updatedb' command (as 
> > root) to create the
> > databas
> > e. (no debugging symbols found)...(no debugging symbols found)...(no
> > debugging sym
> > bols found)... Program received signal SIGSEGV, Segmentation fault. 
> > 0x42080b1b in strlen () from /lib/i686/libc.so.6 (gdb)
> > The exploitation is trivial, we have coded already a POC exploit that
> > will be p
> > ublished to the bugtraq next days. The author has been notified via: 
> > klindsay@xxxxxxxxxxxxxx
> > ------------------------------------------------------------------- 
> > inkubus@xxxxxxxxxxxx Resistance is futile, you will be assimilated. 
> > ------------------------------------------------------------------- EOF
> >