Hosting Provided By

re: slocate vulnerability

From: <tqa(at)hushmail.com>
Date: Thu Jan 30 2003 - 14:58:32 EST

-----BEGIN PGP SIGNED MESSAGE----- Actually it isn't a buffer overflow at all. Slocate can be crashed with "slocate -r A -c A" as well, no need to feed 1024 A's. If you had taken a look at the code instead of guessing from gdb backtraces, you could've wound up about here: int j = optind;
int i = 0;
if (REGEXP)
while (SLOCATE_PATH && (database = SLOCATE_PATH[i++])) res |= decode_db(database, regexp_opt); while (j < args) {

/* while ((database = SLOCATE_PATH[i++])) res |= decode_db(database, argv[j++]); i = 0;

A Bug fix by Hans-Juergen Godau <godau@wi-inf.uni-essen.de>
Prevents segfault when using multiple databases */ while (SLOCATE_PATH && (database = SLOCATE_PATH[i++])) res |= decode_db(database, argv[j]); i = 0; j += 1; } Where you would have noticed that if both a regular expression and normal search arguments are provided, variable i used as an index into SLOCATE_PATH is out of bounds after the regular expression search and thus the next loop will feed random values as string pointers to decode_db(). Which will fail the open, try to report the error and once of a sudden finds itself reading from non-mapped addresses. Which generates a nice protection fault. So even though you can crash slocate, it is not a trivially exploitable buffer overflow, and it probably isn't exploitable at all. The bug can be fixed by putting the i = 0; in the second loop before the inner SLOCATE_PATH loop, even though the way options are parsed might be reconsidered as well.

On Thu, 2003-01-30 at 16:02, xbuggyx@libero.it wrote:
> The exploitation is trivial ,but with libsafe this buffer
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlgEARECABgFAj45hGYRHHRxYUBodXNobWFpbC5jb20ACgkQrEuaaeyMVAUPhQCgoXCA n2jF4OSj6O+ZIAIdA+/3cWsAn1M61yqKj7EZx2TvzxnoRXtSd8eE =D37o
-----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Thu Jan 30 16:00:41 2003

This message: [ Message body ]
Next message: CERT(R) Coordination Center: "Re: bash 2.05.0(1)-release/it.map.gz Slackware 8.0 default and Debian VU#438955"
Maybe in reply to: Adam Gilmore: "slocate vulnerability"
In reply to xbuggyx(at)libero.it: "slocate vulnerability"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT