Vulnerability Development mailing list archives

Re: slocate bug.

From: KF <dotslash () snosoft com>
Date: Thu, 14 Feb 2002 11:39:17 -0500

Heres the details on Mandrake Linux 

[elguapo@linux elguapo]$ ls -al `which slocate`
-rwxr-sr-x    2 root     slocate     24956 Apr  6  2001
/usr/bin/slocate*
[elguapo@linux elguapo]$ uname -a
Linux linux.ckfr.com 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686
unknown
[elguapo@linux elguapo]$ cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for i586
[elguapo@linux elguapo]$ slocate -r `perl -e 'print "A" x 65026'`
Segmentation fault

(gdb) r -r `perl -e 'print "A" x 65026'`
Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'`
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x400eeb69 in regerror () from /lib/libc.so.6
(gdb) bt
#0  0x400eeb69 in regerror () from /lib/libc.so.6
#1  0x0804aa99 in strcpy ()

gdb) i r
eax            0x400    1024
ecx            0xd      13
edx            0x0      0
ebx            0x40149f2c       1075093292
esp            0xbffef8f0       0xbffef8f0
ebp            0xbffef908       0xbffef908
esi            0x40141304       1075057412
edi            0x0      0
eip            0x400eeb69       0x400eeb69

-KF
Ehud Tenenbaum wrote:


Hey,

Its a good time to announce that 2xs security LTD. decided to
create a research team in order to focus on finding new bugs,
further more we managed to develop a security tool to discover
bugs/security flaws. In the near future, the tool itself will became
an open source project.

slocate (Secure locate) coming with the default installation in redhat
linux suid to slocate.

bash-2.05$ ls -al /usr/bin/slocate
-rwxr-sr-x    1 root     slocate     20880 dec 18  2000 /usr/bin/slocate

bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
Segmentation fault

bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
[...] no segfault [...]

We found non exploitble bug which pointed out by KoSak (Cabezon Aurilien
aurelien.cabezon () isecurelabs com)

the segfault is due to a null pointer,
because regcomp() will return 0 when the buffer is bigger
than 65028 bytes -> then, regerr() will be called but the
programmer forgot to allocate his errbuf variable,
so it is called with errbuf=NULL. (See line 1193, main.c).

should anyone have questions or comments you can email us:

analyzer () 2xss com
izik () 2xss com
mixter () 2xss com

--
------------
Ehud Tenenbaum
C.T.O & Project Manager
2xs LTD.
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------
                                 Have A Safe Day

Current thread:

slocate bug. Ehud Tenenbaum (Feb 14)
- Re: slocate bug. KF (Feb 14)
  - Re: slocate bug. Rodrigo Barbosa (Feb 15)
    - Re: slocate bug. Guilherme Mesquita (Feb 15)
    - Re: slocate bug. Kurt Seifried (Feb 16)
    - Re: slocate bug. Larry W. Cashdollar (Feb 16)
    - Re: slocate bug. Kurt Seifried (Feb 16)
    - Re: slocate bug. Larry W. Cashdollar (Feb 16)
    - Re: slocate bug. Larry W. Cashdollar (Feb 17)
    - Re: slocate bug. Rodrigo Barbosa (Feb 21)
    - Re: slocate bug. Rodrigo Barbosa (Feb 21)
  - RE: slocate bug. John Adair (Feb 15)

(Thread continues...)