Bugtraq mailing list archives
Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
From: Josh Smith <josh () viper falcon-networks com>
Date: Wed, 1 Aug 2001 12:03:58 -0400 (EDT)
Submitted by : Josh (josh () viper falcon-networks com), lockdown (lockdown () lockeddown net), zen-parse (zen-parse () gmx net) Vulnerability : /usr/bin/locate (findutils-4.1 and before) Tested On : Slackware 8.0, Slackware 7.1 Local : Yes Remote : No Fix : Update to slocate Target : root or any other user that runs locate Requires : UID nobody Greets to : alpha, fr3n3tic, omega, eazyass, Remmy, RedPen, banned-it, slider, cryptix, s0ttle, xphantom, qtip, tirancy, Defiance, KraZee, synexic, Insane, rusko, falcon-networks.com, mp3.com/cosv. Other Stuff : We all (individually) need jobs. E-mail the contact people with [WE HAVE A JOB FOR YOU] in the subject. In slackware, and possibly other distributions, it is possible to modify the locate database if one were to obtain UID nobody. This allows locate to act as a sort of 'trojan' having anyone who executes it unknowingly execute potentially malicious code. It works by taking advantage of the fact locate accepts old format databases. LOCATEDB_OLD_ESCAPE (char 30) is followed by an offset, stored in a signed integer, for how many characters to add to the current character pointer in the path. It doesn't perform any sanity checking of the input. This exploit tells it to move the pointer back a long way, back past the beginning of the string, all the way to the GOT address for exit() which then gets the address of the shellcode added, and the program then runs out of database and executes our code. There is also probably a similar vulnerability in the new format. P.S. dies: If you see this e-mail josh () viper falcon-networks com
Attachment:
locate-exploit.c
Description: exploit
Current thread:
- Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Linux Mailing Lists (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeffrey Denton (Aug 03)
- <Possible follow-ups>
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Olaf Bohlen (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Brian Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Dylan Griffiths (Aug 02)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Felipe Franciosi (Aug 06)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Nasir Simbolon (Aug 02)