101924 2003-05-19 23:14 /3 rader/ bazarr@ziplip.com <bazarr@ziplip.com>
Importerad: 2003-05-19 23:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bazarr@ziplip.com
Mottagare: Bugtraq (import) <4942>
Ärende: bazarr slocate
------------------------------------------------------------
dis advisory contains many a ascii diagram so it is attached in .txt
-bazarr
(101924) /bazarr@ziplip.com <bazarr@ziplip.com>/----
Bilaga (text/plain) i text 101925
101925 2003-05-19 23:14 /251 rader/ bazarr@ziplip.com <bazarr@ziplip.com>
Bilagans filnamn: "bazarr-slocate-adv.txt"
Importerad: 2003-05-19 23:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bazarr@ziplip.com
Mottagare: Bugtraq (import) <4943>
Bilaga (text/plain) till text 101924
Ärende: Bilaga (bazarr-slocate-adv.txt) till: bazarr slocate
------------------------------------------------------------
/* slocate <= x.x integer overflow advisory!!! */
/* by: bazarr */
/* bazarr@ziplip.com */
/* bazarr episode #1 */
------------------------
PREFACE
today after i got home from soccer practice (i am the only male cheer
leader on the team. the only cheer leader on the team at all
actually) and everytime i asked the coach to let me play the, coach
kept saying i fight for 'the pink team'. whatever that
means. feeling sad that we lost against the lilly pads and my mom
dident buy me spy kids 2 for dvd. i came home and was clicking and
pointing around everywhere on my laptop and i came across slocate.
seeing the 'secure' in its name i figured i was safe from EVIL. I WAS
WRONG
lets take a look at vendor info:
Secure locate provides a secure way to index and quickly search for
files on your system. It uses incremental encoding just like GNU
locate to compress its database to make searching faster, but it will
also store file permissions and ownership so that users will not see
files they do not have access to. It is a bit slower than the GNU
locate, but thats the price for security.
------------------------
BEEF
after trying numerous perl -e attemps to hack slocate i decided this
time i actually have to look at the src code. after seeing the
revolutionary phrack artical i learned that new integer overflow
attack or int too big attack is becomming very very popular. i
decided to grep main.c of slocate for all lines conatining word
'int' i came across the function parse_decode_path(). this function
contains numerous int type varibles. all wid possibility for int too
big attack
lets take a look at source code:
void
parse_decode_path(char *path)
{
char *pathcopy;
char *part;
int i;
int res_errno;
/* Make sure path is not empty */
if (!path || strlen(path) == 0) return;
/* Check how many paths are currently in the string. */
i = 1;
part = path;
while ((part = strchr(part+1, ':'))) i++; //dis
/* Allocate enough space to fit existing paths plus new one */
SLOCATE_PATH = malloc(i * sizeof(char *)); //dis be it right here
if (!SLOCATE_PATH)
report_error(FATAL,QUIET,"%s: parse_decode_path: 'SLOCATE_PATH': malloc: %s\n",progname,strerror(errno));
pathcopy = malloc(strlen(path)+1);
if (!pathcopy)
report_error(FATAL,QUIET,"%s: parse_decode_path: 'pathcopy': malloc: %s\n",progname,strerror(errno));
strcpy(pathcopy,path);
....
while (part) {
/* Make sure the path is valid */
if (!(res_errno = validate_db(part)))
SLOCATE_PATH[i++] = part;
else {
if (res_errno == -1)
report_error(WARNING,QUIET,"%s: this is not a valid slocate database:
%s\n",progname,part);
else
report_error(WARNING,QUIET,"%s: could not open database: %s:
%s\n",progname,part,strerror(res_erres_errno));
}
/* Get next path */
part = strtok(NULL, ":");
}
....
}
.....
main (int argc,char **argv) {
.....
parse_decode_path(getenv("LOCATE_PATH"));
.....
}
who can also see the int too big attack possiblilty here?
while ((part = strchr(part+1, ':'))) i++;
we can control 'part' so we can make 'i' as big as we want!
den it go like dis
SLOCATE_PATH = malloc(i * sizeof(char *));
if we can get more den 536870912 ':'s into path we can force it to
malloc TOO LOW. its working like dis:
| _
| _.-' ) dis dead bear represents malloc
| (_ , '\ __ he od'd on dxm and coke
| \__^/` _)
| .-'_ \
| (_.' \ '--.
| /_ /`-._/
| (__/
| (__) dis cow represents what figure 1 is sposed to malloc.
| OO )_______ dis cow is obvisouly healthy but hes high on weed
| |_/\ |\ and lsd. notice his pupils very big. and he look paranoid.
| ||___ | \
| || W||
| \\ dis rabbit represents what figure 1 (dead bear) might malloc in case of 'int too big' attack
| \\_ dis rabbit is very small cannot and go pound for pound wid a big buffer.
| .---(')
| o( )_-\_
it has come to attention that not all linux kernel allow 536870912
bytes of arguments for programs over command line. i know many a
people who have argument list problems have recompiled dey kernel
redefining MAX_ARG_PAGES to a bigger value wich let them put
536870912 bytes into program arg list. for dose certain people. dey
vuln to dis bug wich could let a hacker gain root on machine.
------------------------
PATCH
slocate needs to check to make sure value of 'i' is not >
SLOCATE_CODER_DEFINE_DIS before it mallocs to 'i' * 4. (NOTE: 4 is
sizeof(char*))
------------------------
END NOTES
obvisously not everyone vuln to dis bug and many others like it. but
someone out dare might just find themselfs wid no /var/log cuz a
hacker gained root and used the rm(1) program to rm all files in
directory. dis is not as far fetched as it seem. dis is not sposed to
alarm da whole world but it sposed to spark conversation. thank you,
send fan mail to bazarr@ziplip.com, plz angry blackhats do not send
hate mail , i know i just exposed a bug wich you probly been using
for long time to gain root on machines, but its time for this bug to
come forward.
------------------------
ADVANCE WARNING
xploit for popular program shipped wid debian by default wich allow
hackers to gain root is comming soon. but only if bugtraq take me
seriously. i am very serious security researcher i want nothing more
den to help the security world. i know some people think i am a
little bazarr but that is just me cuz i am bazarr. im also comming
out wid documentry series on ring member species. the inner ring
member species is a select group sharing information/xploits. and
somtimes they xploit double free bugs in ftpd's. and off by one
qpoppers. the documentry will be covering der tribulistic riturals.
including mating ritural wich is very rare information.
dis is an actual photograph of many inner ring member gathering from
many tribes:
\\\|||/// \\\|||/// \\\|||/// __
. ======= . ======= ======= _/o \ //
/ \| o O | /|\| O o | | O o | /_ | |//|/
\ / \ _'/-[hear about] \|/ \ -'/-[ya whanna] \ -'/-[im workin on] [GOB]- W\ / |/////
# _| |_ [proftpd] # _| |_ [work on it] _|T|_ [the qpop] [GOBBLE] \ \ __________||//|/
(#) ( ADM ) [bug?] (#) ( SYN ) [with me?] ( E ) [bug now] [GOB] \ \/ GOBBLES /|-//-
#\//|* *|\\ #\//|* *|\\ //| S |\\ | _____ /-
#\/( * )/ #\/( * )/ \( O )/ | _____ /
# ===== # ===== ===== \ _____ /
# (\_/) # (\_/) (\_/) \_/ \___/
# || || # || || || || \ //
#---'| |----. .#---'| |----. .----'| |----. ||||
#----' -----' #----' -----' '-----' '-----' Z_>>
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
the purpose of the documentry is to familarize wid the general public
wid inner ring members(our idles). the documentry is for the little
guy like myself. who has no connection to da scene but hes interested
in popular ring member activitys. i am pioneering the first
interactions between dees rare creatures and the average public. but
i been using der xploits so long i feel like we all best friends.
more to come on dis subject soon.
------------------------
PAST ACCOMPLISHMENTS
i have xploited gera's abo1-10(NOT INCLUDING 2,8,9,10,7,4).c,
i dont understand semaphores,
and dont really know what posix stands for(seriously).
and thats really da end of accomplishments.
------------------------
GREETS
ron1n - i spent 2 days d/ling gobbles speech(56k) , he said your
lonely, i'll be your friend. but im kind of dumb(seriously) so i
dunno if you whanna be my friend. but the whole script kiddie class
of 2001 loved remorse.c(i was one of the kids it got leaked to!) i
got da backdoored binary.
i found a possibly xploitable bug in prerr.c of remorse.tar.gz!
dis issue needs to be addressed:
vsnprintf(msg, sizeof msg, fmt, va); //HACKLOG if i can control 'fmt' dis is owned
va_end(va); //HACLOG i dunno what dis does
if(perr) {
/* Not my problem... */
snprintf(msg + strlen(msg), sizeof msg - strlen(msg), ": %s", strerror(serrno));
}
what dif msg dont get nulld! and den sizeof msg - strlen msg
possibly could go negative since msg is on da stack and you never
know what be around it, den since size argument to snprintf is a
size_t it will go whacko big! then it overflow wid
strerror(savederrno). i'll mail you wid da bug fix. in older unixes
somtimes strerror might return NULL on error so dis might be local DoS
we can make a small fort out of my parents couch and play twister if
you come over. we can w8 outside gas stations askin people to get us
some old english(malt liqor) i live in da same city as jimjonez so
just get an airplane ticket and we'll have a slumber party just tell
my parents you 18 cuz they gunna think its wierd when 20 years old
comes to sleep over wid 16 year old boy
n1nor , remorse.c is one of the reasons i tried to learn to
code(STILL DONT UNDERSTAND SYS V MESSAGE QUEUES). so thank you ron1n
cuz you cool.
------------------------
BYE
hopefully you be seeing more of me. i am one man team wid myself
working on many a xploit and many a advisory(SERIOUSLY). i will be
helping to bring many more bleeding edge security vulnerabilitys just
like dis one to dis security community. but for now i have to leave
my mom is making me some grilld cheese sandwiches wid grape coolaide
but only if i clean my room(seriously). so bye guys
.=.
//(`)_
//`\/ |\ O`\\
||-.\_|_/.-||
)/ |_____| \(
O # / \ # O
(| 0 o |)
|` * |
O.__.\---/.__.O
`._ `"` _.'
/ ; \ \
O'-' )/`'-0
O` the sad borderline homosexual clown. bazarr.
(101925) /bazarr@ziplip.com <bazarr@ziplip.com>/(Ombruten)
102021 2003-05-20 18:42 /20 rader/ Matt Zimmerman <mdz@debian.org>
Importerad: 2003-05-20 18:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4950>
Kommentar till text 101924 av bazarr@ziplip.com <bazarr@ziplip.com>
Ärende: Re: bazarr slocate
------------------------------------------------------------
On Mon, May 19, 2003 at 12:16:19PM -0700, bazarr@ziplip.com wrote:
> dey vuln to dis bug wich could let a hacker gain root on machine.
> [...]
> using for long time to gain root on machines, but its time for this bug
> [...]
> xploit for popular program shipped wid debian by default wich allow
> hackers to gain root is comming soon.
slocate in Debian is shipped setgid slocate only, so even if the user
works hard to make themselves vulnerable by recompiling the kernel to
use an absurd limit, an exploit only exposes read-only access to the
slocate database (a list of files on the system). It does _not_
grant root access by any means.
-rwxr-sr-x 1 root slocate 24664 2003-02-17 22:59 /usr/bin/slocate
--
- mdz
(102021) /Matt Zimmerman <mdz@debian.org>/(Ombruten)