Bug in "lockdev" on Redhat 8.x

[Day Jay <d4yj4y () yahoo com>]

Chung's Donut Shop Release
==========================
www.chungsdonutshop.com

Bug in "lockdev" on Redhat 8.x
-------------------------------
by d4yj4y
d4yj4y () chungsdonutshop com

"lockdev" on Redhat 8.x segfaults with a default
switch without any parameters. lockdev is setuid
"lock". If successfully exploited could grant
different id.

Per the documentation:

       The lockdev functions act on device locks
normally located in /var/lock. The  lock  is  acquired
creating a pair of files hardlinked between them and
named after the device name....

Anyway, the program must not be called often by itself
(assumption). It's probably called by other prorams
but anyway, it doesn't even validate it's options
well.

See below:

[root@yourmom]# /usr/sbin/lockdev -l
Segmentation fault
[root@yourmom]# gdb /usr/sbin/lockdev
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are welcome to change it
and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details. This GDB was configured as
"i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args -l
(gdb) run
Starting program: /usr/sbin/lockdev -l
(no debugging symbols found)...(no debugging symbols
found)...
Program received signal SIGSEGV, Segmentation fault.
0x4207a893 in strrchr () from /lib/i686/libc.so.6
(gdb)

I haven't been able to overwrite the eip, and taking a
look at the strrchr() function told me why it would be
hard.

I don't know if this can even be exploited but it's
still a bug.





__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html