[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
From: |
Josh Smith |
Subject: |
Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate |
Date: |
Mon, 30 Jul 2001 00:16:55 -0400 (EDT) |
Submitted by : Josh (address@hidden), lockdown
(address@hidden), zen-parse (address@hidden)
Vulnerability : /usr/bin/locate (findutils-4.1 and before)
Tested On : Slackware 8.0, Slackware 7.1
Local : Yes
Remote : No
Temporary Fix : Update to slocate
Target : root or any other user that runs locate
Requires : UID nobody
Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
slider, cryptix, s0ttle, xphantom, qtip, tirancy,
Defiance, KraZee, synexic, Insane, rusko,
falcon-networks.com.
Other Stuff : We all (individually) need jobs, e-mail the contact people
with [WE HAVE A JOB FOR YOU] in the subject
Ok. It works by taking advantage of the fact locate accepts old
format databases. LOCATEDB_OLD_ESCAPE (char 30) is followed by an offset,
stored in a signed integer, for how many characters to add to the current
character pointer in the path. It doesn't perform any sanity checking of
the input. This exploit tells it to move the pointer back a long way,
back past the beginning of the string, all the way to the GOT address for
exit() which then gets the address of the shellcode added, and the
program then runs out of database and executes our code.
http://www.atstake.com/research/policy/
Idle hands are the devil's^H^H^H^H^Hveloper's tools.
locate-exploit.c
Description: The Exploit
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate,
Josh Smith <=