Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [MSY] S(ecure)Locate heap corruption vulnerability
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Mon, 27 Nov 2000 23:57:15 +0100

On Sun, 26 Nov 2000, Michel Kaempf wrote:

A few days ago, zorgon <zorgon () linuxstart com> discovered a problem in
Secure Locate v2.1. When decoding an invalid database specified by a
local user (thanks to the -d command line option), slocate dies with a
segmentation violation:

I've discovered "slocate user-supplied database file parsing problems"
some time ago and posted nice bugreport to BUGTRAQ:

http://www.securityfocus.com/archive/1/66045

(...snip...)
- slocate - custom input file can be specified using LOCATE_PATH;
            due to almost no input validation, it's possible to
            supply many different input patterns, some of them will
            cause potentially exploitable SEGVs; please review this
            code. Ah, forgotten, gid slocate can be used to
            access slocate database in unrestricted mode (every
            file in filesystem indexed, including eg. /root,
            web scripts etc),
(...snip...)

I am impressed it hasn't been fixed yet. Amazing.

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]