Vulnerability Development mailing list archives

RE: slocate bug.

From: "John Adair" <J.Adair () SempermedUSA com>
Date: Fri, 15 Feb 2002 09:21:37 -0500

I just thought I would share some information. The /usr/bin/slocate binary
is setgid slocate on Cobalt's Cube III. I have not found this to be
exploitable on Cobalt's Cube III.

[root /root]# slocate --version
Secure Locate v2.4 - Released November 28, 2000
[root /root]# uname -a
Linux Cobalt 2.2.16C32_III #1 Fri Nov 9 21:54:54 PST 2001 i586 unknown
[root /root]# ls -al /usr/bin/slocate
-rwxr-sr-x   1 root     slocate     20880 Dec 18  2000 /usr/bin/slocate*
[root /root]# gdb slocate
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) run -r `perl -e 'print "A" x 65026'`
Starting program: /usr/bin/slocate -r `perl -e 'print "A" x 65026'`

Program received signal SIGSEGV, Segmentation fault.
0x40078487 in memcpy (dstpp=0x0, srcpp=0x400ffb44, len=27) at
../sysdeps/generic/memcpy.c:55
55      ../sysdeps/generic/memcpy.c: No such file or directory.
(gdb) backtrace
#0  0x40078487 in memcpy (dstpp=0x0, srcpp=0x400ffb44, len=27) at
../sysdeps/generic/memcpy.c:55
#1  0x400b563b in __regerror (errcode=15, preg=0x805fbb0, errbuf=0x0,
errbuf_size=1024) at regex.c:5849
#2  0x804a8d0 in read ()
#3  0x804b13c in read ()
#4  0x400309cb in __libc_start_main (main=0x804ae00 <read+7976>, argc=3,
argv=0xbffefe04, init=0x8048b68,
    fini=0x804b84c <read+10612>, rtld_fini=0x4000ae60 <_dl_fini>,
stack_end=0xbffefdfc) at ../sysdeps/generic/libc-start.c:92
(gdb) info registers
eax            0x1b     27
ecx            0x6      6
edx            0x0      0
ebx            0x401081cc       1074823628
esp            0xbffefb8c       -1073808500
ebp            0xbffefb94       -1073808492
esi            0x400ffb44       1074789188
edi            0x0      0
eip            0x40078487       1074234503
eflags         0x10217  66071
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
cwd            0xffff037f       -64641
swd            0xffff0000       -65536
twd            0xffffffff       -1
fip            0x4004c7e4       1074055140
fcs            0x77d0023        125632547
fopo           0xbffffc54       -1073742764
fos            0xffff002b       -65493

- - -
Opinions expressed do not necessarily represent the views of my employer.

This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay.  Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.

Ehud Tenenbaum wrote:


Hey,

Its a good time to announce that 2xs security LTD. decided to
create a research team in order to focus on finding new bugs,
further more we managed to develop a security tool to discover
bugs/security flaws. In the near future, the tool itself will became
an open source project.

slocate (Secure locate) coming with the default

installation in redhat

linux suid to slocate.

bash-2.05$ ls -al /usr/bin/slocate
-rwxr-sr-x    1 root     slocate     20880 dec 18  2000

/usr/bin/slocate


bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
Segmentation fault

bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
[...] no segfault [...]

We found non exploitble bug which pointed out by KoSak

(Cabezon Aurilien

aurelien.cabezon () isecurelabs com)

the segfault is due to a null pointer,
because regcomp() will return 0 when the buffer is bigger
than 65028 bytes -> then, regerr() will be called but the
programmer forgot to allocate his errbuf variable,
so it is called with errbuf=NULL. (See line 1193, main.c).

should anyone have questions or comments you can email us:

analyzer () 2xss com
izik () 2xss com
mixter () 2xss com

--
------------
Ehud Tenenbaum
C.T.O & Project Manager
2xs LTD.
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------
                                 Have A Safe Day

Current thread:

Re: slocate bug., (continued)
- Re: slocate bug. KF (Feb 14)
  - Re: slocate bug. Rodrigo Barbosa (Feb 15)
    - Re: slocate bug. Guilherme Mesquita (Feb 15)
    - Re: slocate bug. Kurt Seifried (Feb 16)
    - Re: slocate bug. Larry W. Cashdollar (Feb 16)
    - Re: slocate bug. Kurt Seifried (Feb 16)
    - Re: slocate bug. Larry W. Cashdollar (Feb 16)
    - Re: slocate bug. Larry W. Cashdollar (Feb 17)
    - Re: slocate bug. Rodrigo Barbosa (Feb 21)
    - Re: slocate bug. Rodrigo Barbosa (Feb 21)
  - RE: slocate bug. John Adair (Feb 15)
- Re: slocate bug. jaytee () email it (Feb 14)
- Re: slocate bug. Wodahs Latigid (Feb 15)
  - Re: slocate bug. Rodrigo Barbosa (Feb 20)
- Re: slocate bug. Wodahs Latigid (Feb 21)
  - Re: slocate bug. Rodrigo Barbosa (Feb 21)
    - Re: slocate bug. Jay Beale (Feb 24)