Vulnerability Development mailing list archives
Re: slocate bug.
From: KF <dotslash () snosoft com>
Date: Thu, 14 Feb 2002 11:39:17 -0500
Heres the details on Mandrake Linux [elguapo@linux elguapo]$ ls -al `which slocate` -rwxr-sr-x 2 root slocate 24956 Apr 6 2001 /usr/bin/slocate* [elguapo@linux elguapo]$ uname -a Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown [elguapo@linux elguapo]$ cat /etc/redhat-release Linux Mandrake release 8.0 (Traktopel) for i586 [elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'` Segmentation fault (gdb) r -r `perl -e 'print "A" x 65026'` Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'` (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x400eeb69 in regerror () from /lib/libc.so.6 (gdb) bt #0 0x400eeb69 in regerror () from /lib/libc.so.6 #1 0x0804aa99 in strcpy () gdb) i r eax 0x400 1024 ecx 0xd 13 edx 0x0 0 ebx 0x40149f2c 1075093292 esp 0xbffef8f0 0xbffef8f0 ebp 0xbffef908 0xbffef908 esi 0x40141304 1075057412 edi 0x0 0 eip 0x400eeb69 0x400eeb69 -KF Ehud Tenenbaum wrote:
Hey, Its a good time to announce that 2xs security LTD. decided to create a research team in order to focus on finding new bugs, further more we managed to develop a security tool to discover bugs/security flaws. In the near future, the tool itself will became an open source project. slocate (Secure locate) coming with the default installation in redhat linux suid to slocate. bash-2.05$ ls -al /usr/bin/slocate -rwxr-sr-x 1 root slocate 20880 dec 18 2000 /usr/bin/slocate bash-2.05$ slocate -r `perl -e 'print "A" x 65026'` Segmentation fault bash-2.05$ slocate -r `perl -e 'print "A" x 65025'` [...] no segfault [...] We found non exploitble bug which pointed out by KoSak (Cabezon Aurilien aurelien.cabezon () isecurelabs com) the segfault is due to a null pointer, because regcomp() will return 0 when the buffer is bigger than 65028 bytes -> then, regerr() will be called but the programmer forgot to allocate his errbuf variable, so it is called with errbuf=NULL. (See line 1193, main.c). should anyone have questions or comments you can email us: analyzer () 2xss com izik () 2xss com mixter () 2xss com -- ------------ Ehud Tenenbaum C.T.O & Project Manager 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 E-Mail: ehud () 2xss com ------------ Have A Safe Day
Current thread:
- slocate bug. Ehud Tenenbaum (Feb 14)
- Re: slocate bug. KF (Feb 14)
- Re: slocate bug. Rodrigo Barbosa (Feb 15)
- Re: slocate bug. Guilherme Mesquita (Feb 15)
- Re: slocate bug. Kurt Seifried (Feb 16)
- Re: slocate bug. Larry W. Cashdollar (Feb 16)
- Re: slocate bug. Kurt Seifried (Feb 16)
- Re: slocate bug. Larry W. Cashdollar (Feb 16)
- Re: slocate bug. Larry W. Cashdollar (Feb 17)
- Re: slocate bug. Rodrigo Barbosa (Feb 21)
- Re: slocate bug. Rodrigo Barbosa (Feb 21)
- Re: slocate bug. Rodrigo Barbosa (Feb 15)
- Re: slocate bug. KF (Feb 14)