88935 2003-01-24 20:57 /65 rader/ <inkubus@hushmail.com> Importerad: 2003-01-24 20:57 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <3225> Ärende: [USG- SA- 2003.001] USG Security Advisory (slocate) ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________ USG Security Advisory http://www.usg.org.uk/advisories/2003.001.txt inkubus@hushmail.com USG- SA- 2003.001 24- Jan- 2003 __________________________________________________ Package: slocate Vulnerability: local buffer overflow Type: local Risk: high, users can gain high privileges in the system. System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman Description: Accordingly to research done by USG team members and Knight420 who informed us about this vulnerability a week earlier, there is a local buffer overflow in the slocate package shipped with the most newer RedHat distributions, we have tested the vulnerability only in RedHat Linux 7.2 and 7.3 but we think that other Linux/*nix systems that provide slocate package may be vulnerable too. The overflow appears when the slocate is runned with two parameters: -c and -r, using as arguments a 1024 (or 10240, as Knight420 has informed us earlier) bytes string. [inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate slocate-2.6-1 - -rwxr-sr-x 1 root slocate 25020 Jun 25 2001 /usr/bin/slocate [inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` Segmentation fault [inkubus@USG audit]$ gdb /usr/bin/slocate GNU gdb Red Hat Linux (5.1.90CVS-5) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... (gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` warning: slocate: could not open database: /var/lib/slocate/slocate.db: Permission denied warning: You need to run the 'updatedb' command (as root) to create the database. warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No such file or directory warning: You need to run the 'updatedb' command (as root) to create the database. (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x42080b1b in strlen () from /lib/i686/libc.so.6 (gdb) The exploitation is trivial, we have coded already a POC exploit that will be published to the bugtraq next days. The author has been notified via: klindsay@mkintraweb.com - ------------------------------------------------------------------- inkubus@hushmail.com Resistance is futile, you will be assimilated. - ------------------------------------------------------------------- EOF -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlwEARECABwFAj4xWyAVHGlua3VidXNAaHVzaG1haWwuY29tAAoJEMbSI7uQOmRNBfUA n3Pl47u652dkpjZHqEefppWaPGwtAJ4kn6cTWwPLmNxLL1Ai8Hb3SVy0Rg== =M12Y -----END PGP SIGNATURE----- (88935) / <inkubus@hushmail.com>/---------(Ombruten) Kommentar i text 88946 av Kevin Lindsay <klindsay@mkintraweb.com> 88946 2003-01-25 10:19 /36 rader/ Kevin Lindsay <klindsay@mkintraweb.com> Importerad: 2003-01-25 10:19 av Brevbäraren Extern mottagare: inkubus@hushmail.com Mottagare: Bugtraq (import) <3232> Kommentar till text 88935 av <inkubus@hushmail.com> Ärende: Re: [USG- SA- 2003.001] USG Security Advisory (slocate) ------------------------------------------------------------ All fixed, I don't have a specific patch, other changes were incorporated into this version (2.7). ftp://ftp.geekreview.com/slocate/src/slocate-2.7.tar.gz Let me know if anything funky happens. Kevin- On Fri, Jan 24, 2003 at 07:27:27AM -0800, inkubus@hushmail.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > __________________________________________________ > > USG Security Advisory > http://www.usg.org.uk/advisories/2003.001.txt > inkubus@hushmail.com > USG- SA- 2003.001 24- Jan- 2003 > __________________________________________________ > > Package: slocate > Vulnerability: local buffer overflow > Type: local > Risk: high, users can gain high privileges in the system. > System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM > Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman > --------------------------------------------------- Kevin Lindsay Debian Developer Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4 Key Id: 746C51F4 (88946) /Kevin Lindsay <klindsay@mkintraweb.com>/(Ombruten) Bilaga (application/pgp-signature) i text 88947 88947 2003-01-25 10:19 /8 rader/ Kevin Lindsay <klindsay@mkintraweb.com> Importerad: 2003-01-25 10:19 av Brevbäraren Extern mottagare: inkubus@hushmail.com Mottagare: Bugtraq (import) <3233> Bilaga (text/plain) till text 88946 Ärende: Bilaga till: Re: [USG- SA- 2003.001] USG Security Advisory (slocate) ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+MiPIUZpV8HRsUfQRAnP2AJ4wpVR1qZOE5beEfKi0BU40zbo9RACfVDkc +LbvVWomlpWyexUCPsNXslg= =B9No -----END PGP SIGNATURE----- (88947) /Kevin Lindsay <klindsay@mkintraweb.com>/---