Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   slocate Vendors:   Lindsay, Kevin
slocate Integer Overflow May Let Local User Gain Elevated Privileges
SecurityTracker Alert ID:  1006800
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 20 2003
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system

Description:   An integer overflow vulnerability was reported in slocate. A local user may be able to obtain elevated privileges.

It is reported that a local user may be able to trigger an integer overflow in the parse_decode_path() function by setting the LOCATE_PATH environment variable to a value containing more than 536870912 ':' characters. This value may reportedly cause slocate to allocate a buffer that is too small for the data written into the buffer.

The report indicates that the Linux kernel, by default, does not permit such a large number of arguments, but users that have recompiled the kernel with a larger MAX_ARG_PAGES value may be affected.

On some systems, slocate is configured with set group id (setgid) 'slocate' group privileges. Any arbitrary code executed by the local user would run with slocate group privileges. It may also be possible for a local user to wait for a root user to run slocate to cause arbitrary code to be executed with root privileges [however, the report was not clear about this potential exploit method].

Impact:   A local user may be able to execute arbitrary code with 'slocate' group privileges. A local user may also be able to obtain root privileges when a root user runs slocate.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  bazarr slocate

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

dis advisory contains many a ascii diagram so it is attached in .txt

Content-Type: text/plain; name=bazarr-slocate-adv.txt
Content-Transfer-Encoding: 7bit
Content-Disposition: ATTACHMENT; filename=bazarr-slocate-adv.txt

/* slocate <= x.x integer overflow advisory!!!  	 */
/* by: bazarr						 */
/*					 */
/* bazarr episode #1					 */


today after i got home from soccer practice (i am the only male cheer leader on the team. the only cheer leader on the 
team at all actually) and everytime i asked the coach to let me play the, coach kept saying i fight for 
'the pink team'. whatever that means. feeling sad that we lost against the lilly pads and my mom dident 
buy me spy kids 2 for dvd. i came home and was clicking and pointing around everywhere on my laptop 
and i came across slocate.

seeing the 'secure' in its name i figured i was safe from EVIL. I WAS WRONG

lets take a look at vendor info:

Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding 
just like GNU locate to compress its database to make searching faster, but it will also store file permissions and 
ownership so that users will not see files they do not have access to. It is a bit slower than the GNU locate, but 
thats the price for security. 


after trying numerous perl -e attemps to hack slocate i decided this time
i actually have to look at the src code. after seeing the revolutionary phrack artical 
i learned that new integer overflow attack or int too big attack 
is becomming very very popular. i decided to grep main.c of slocate 
for all lines conatining word 'int' i came across the function 
parse_decode_path(). this function contains numerous int type varibles.
all wid possibility for int too big attack 

lets take a look at source code:

    parse_decode_path(char *path)
        char *pathcopy;
        char *part;
        int i;
        int res_errno;
        /* Make sure path is not empty */  
        if (!path || strlen(path) == 0) return;

        /* Check how many paths are currently in the string. */
        i = 1;
        part = path;
        while ((part = strchr(part+1, ':'))) i++; //dis 

        /* Allocate enough space to fit existing paths plus new one */
        SLOCATE_PATH = malloc(i * sizeof(char *)); //dis be it right here
        if (!SLOCATE_PATH)
            report_error(FATAL,QUIET,"%s: parse_decode_path: 'SLOCATE_PATH': malloc: %s\n",progname,strerror(errno));

        pathcopy = malloc(strlen(path)+1);
        if (!pathcopy)
            report_error(FATAL,QUIET,"%s: parse_decode_path: 'pathcopy': malloc: %s\n",progname,strerror(errno));



        while (part) {
                /* Make sure the path is valid */
                if (!(res_errno = validate_db(part)))
                  SLOCATE_PATH[i++] = part;
                else {
                        if (res_errno == -1)
                            report_error(WARNING,QUIET,"%s: this is not a valid slocate database: 
                            report_error(WARNING,QUIET,"%s: could not open database: %s: 
                /* Get next path */
                part = strtok(NULL, ":");


main (int argc,char **argv) {

who can also see the int too big attack possiblilty here?

while ((part = strchr(part+1, ':'))) i++; 

we can control 'part' so we can make 'i' as big as we want!
den it go like dis

SLOCATE_PATH = malloc(i * sizeof(char *));

if we can get more den 536870912 ':'s into path we can force it to malloc TOO LOW.
its working like dis:

|       _
|   _.-' )	dis dead bear represents malloc 
|  (_ , '\ __	he od'd on dxm and coke  
|    \__^/` _)
|   .-'_    \
|  (_.' \    '--.
|       /_ /`-._/
|      (__/

| (__)  dis cow represents what figure 1 is sposed to malloc. 
| OO )_______ dis cow is obvisouly healthy but hes high on weed
| |_/\       |\ and lsd. notice his pupils very big. and he look paranoid. 
|    ||___  | \
|    ||   W||

|    \\ dis rabbit represents what figure 1 (dead bear) might malloc in case of 'int too big' attack 
|     \\_  dis rabbit is very small cannot and go pound for pound wid a big buffer.
|  .---(')
| o( )_-\_

it has come to attention that not all linux kernel allow 536870912 bytes of arguments
for programs over command line. i know many a people who have argument list problems
have recompiled dey kernel redefining MAX_ARG_PAGES to a bigger value wich let them 
put 536870912 bytes into program arg list. for dose certain people. dey vuln 
to dis bug wich could let a hacker gain root on machine.


slocate needs to check to make sure value of 'i' is not > SLOCATE_CODER_DEFINE_DIS
before it mallocs to 'i' * 4. (NOTE: 4 is sizeof(char*))

obvisously not everyone vuln to dis bug and many others like it.
but someone out dare might just find themselfs wid no /var/log
cuz a hacker gained root and used the rm(1) program to rm all files 
in directory. dis is not as far fetched as it seem. dis is not sposed
to alarm da whole world but it sposed to spark conversation. 
thank you, send fan mail to, plz angry blackhats
do not send hate mail , i know i just exposed a bug wich you probly been
using for long time to gain root on machines, but its time for this bug 
to come forward.


xploit for popular program shipped wid debian by default
wich allow hackers to gain root is comming soon. but only if bugtraq 
take me seriously. i am very serious security researcher
i want nothing more den to help the security world. i know some people
think i am a little bazarr but that is just me cuz i am bazarr.
im also comming out wid documentry series on ring member species.
the inner ring member species is a select group sharing information/xploits.
and somtimes they xploit double free bugs in ftpd's. and off by one qpoppers.
the documentry will be covering der tribulistic riturals.
including mating ritural wich is very rare information. 

dis is an actual photograph of many inner ring member gathering from many tribes:
   \\\|||///               \\\|||///                \\\|||///                        __  
 .  =======              .  =======                  =======                       _/o \                  //  
/ \|  o  O |            /|\|  O  o |                | O  o  |                     /_    |              |//|/       
\ /  \ _'/-[hear about] \|/  \ -'/-[ya whanna]        \ -'/-[im workin on]  [GOB]- W\   /             |/////  
 #   _| |_  [proftpd]    #   _| |_ [work on it]       _|T|_  [the qpop]     [GOBBLE] \  \  __________||//|/
(#) ( ADM )  [bug?]     (#) ( SYN ) [with me?]       (  E  )  [bug now]     [GOB]     \  \/ GOBBLES  /|-//-
 #\//|* *|\\             #\//|* *|\\                //| S |\\                          |    _____     /-
 #\/(  *  )/             #\/(  *  )/                \(  O  )/                          |     _____    /
 #   =====               #   =====                    =====                             \   _____   /
 #   (\_/)               #   (\_/)                    (\_/)                               \_/  \___/
 #   || ||               #   || ||                    || ||                                 \  //
 #---'| |----.          .#---'| |----.           .----'| |----.                              ||||   
 #----' -----'           #----' -----'           '-----' '-----'                             Z_>>
the purpose of the documentry is to familarize wid the general public
wid inner ring members(our idles). the documentry is for the little guy like myself. who has
no connection to da scene but hes interested in popular ring member activitys.
i am pioneering the first interactions between dees rare creatures and the average public. 
but i been using der xploits so long i feel like we all best friends.
more to come on dis subject soon. 


i have xploited gera's abo1-10(NOT INCLUDING 2,8,9,10,7,4).c,
i dont understand semaphores,
and dont really know what posix stands for(seriously).
and thats really da end of accomplishments.


ron1n - i spent 2 days d/ling gobbles speech(56k) , he said your lonely, i'll be your friend. 
but im kind of dumb(seriously) so i dunno if you whanna be my friend.
but the whole script kiddie class of 2001 loved remorse.c(i was one of the kids it got leaked to!) 
i got da backdoored binary. 

i found a possibly xploitable bug in prerr.c of remorse.tar.gz!
dis issue needs to be addressed:

    vsnprintf(msg, sizeof msg, fmt, va); //HACKLOG if i can control 'fmt' dis is owned
    va_end(va); //HACLOG i dunno what dis does

    if(perr) { 
        /* Not my problem... */  
        snprintf(msg + strlen(msg), sizeof msg - strlen(msg), ": %s", strerror(serrno));

what dif msg dont get nulld! and den sizeof msg - strlen msg 
possibly could go negative since msg is on da stack and you never know what be around it,
den since size argument to snprintf is a size_t it will go whacko big!
then it overflow wid strerror(savederrno). i'll mail you wid da bug fix. 
in older unixes somtimes strerror might return NULL on error so dis might be local DoS 

we can make a small fort out of my parents couch and play twister if you come over.
we can w8 outside gas stations askin people to get us some old english(malt liqor)
i live in da same city as jimjonez so just get an airplane ticket and we'll have a slumber party
just tell my parents you 18 cuz they gunna think its wierd when 20 years old comes to sleep over wid 16 year old boy

n1nor , remorse.c is one of the reasons i tried to learn to code(STILL DONT UNDERSTAND SYS V MESSAGE QUEUES). 
so thank you ron1n cuz you cool.


hopefully you be seeing more of me. i am one man team
wid myself working on many a xploit and many a advisory(SERIOUSLY).
i will be helping to bring many more bleeding edge security vulnerabilitys
just like dis one to dis security community. but for now i have to leave
my mom is making me some grilld cheese sandwiches wid grape coolaide
but only if i clean my room(seriously). so bye guys

     //`\/ |\ O`\\	
     )/ |_____| \(    
     O  # / \ #  O    
       (| 0 o |)        
        |` *  |
     `._  `"`  _.'	
        / ;  \ \
      O'-' )/`'-0
          O`	the sad borderline homosexual clown. bazarr.



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC