SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   slocate Vendors:   Lindsay, Kevin
slocate Buffer Management Error May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1007888
SecurityTracker URL:  http://securitytracker.com/id/1007888
CVE Reference:   CVE-2003-0848   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Oct 6 2003
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.6 and prior versions
Description:   A buffer management vulnerability was reported in slocate. A local user may be able to gain elevated privileges on the target system.

Patrik Hornik reported that a heap overflow may let a local user execute arbitrary code with 'slocate' group privileges. The flaw reportedly resides in 'main.c', where some dynamically allocated memory may not be properly freed.

Impact:   A local user may be able to cause arbitrary code to be executed with set group id (setgid) 'slocate' privileges. With those privileges, the local user can view a list of all files on the system.
Solution:   According to the report, slocate version 2.7 is not vulnerable.
Vendor URL:  www.geekreview.org/slocate/ (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 20 2004 (Debian Issues Fix) slocate Buffer Management Error May Let Local Users Gain Elevated Privileges
Debian has released a fix.
Jan 21 2004 (Trustix Issues Fix) slocate Buffer Management Error May Let Local Users Gain Elevated Privileges
Trustix has released a fix.
Jan 22 2004 (Red Hat Issues Fix for RH Linux) slocate Buffer Management Error May Let Local Users Gain Elevated Privileges
Red Hat has released a fix for Red Hat Linux 9.
Jan 23 2004 (Mandrake Issues Fix) slocate Buffer Management Error May Let Local Users Gain Elevated Privileges
Mandrake has released a fix.
Jan 26 2004 (Red Hat Issues Fix for RH Enterprise Linux) slocate Buffer Management Error May Let Local Users Gain Elevated Privileges
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.



 Source Message Contents

Subject:  SA-20031006 slocate vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================
Security advisory 20031006
- ----------------------------------------------------------------------
  Product:                  slocate
  Vulnerability type:       buffer overflow (corrupt heap)
  Extended type:            possibly gaining elevated privileges
  Severity:                 low
  Issue date:               2003/10/06
  Last updated:             2003/10/06
======================================================================



Description
- -----------

Mr.  Hornik  has  discovered  buffer overflow vulnerability in slocate
version 2.6. Many Linux distributions have their slocate package based
on  this  version.  We found at least RedHat package to be vulnerable.
The  vulnerability  corrupts  heap  management structures and possibly
leads to gaining slocate group privileges, which allows reading global
slocate database and thus obtaining list of all files in the system by
unauthorized user.


Vulnerability
- -------------

Program slocate works on user supplied database with setgid to slocate
group.  With  user  prepared  slocate  database  one can cause (we are
reffering to source lines from slocate-2.6-1.src.rpm from RH 7.3) that
pathlen  after  executing  main.c:1255  will have value -1. It must be
caused by not the first path in the database because it is verified in
validate_db.  Then  on  line main.c:1275 the last byte of memory block
header  (this memory block size) will be overwritten with user suplied
value. The codedpath is never freed by the code, but it is possible to
trigger realloc on line 1269 later by data in database.

Because  of  not freeing some dynamic memory, using multiple databases
and  multiple  search  patterns  it should be possible to prepare heap
before  triggering  this  vulnerability  to  allow  later execution of
arbitrary  code,  thus  gaining  slocate group privileges. This allows
reading  of  global  slocate  database  with  list of all files in the
system  by  unauthorized  user.  The  exploit is not available at this
time.

Suggested  and  correct  patch  is to change condition on line 1263 to
pathlen <= 0.


Who is affected?
- ----------------

Affected are all RedHat distributions up to version 9.0 including.

slocate  version  2.6 and below is vulnerable. slocate version 2.7 and
all packages based on this version are not vulnerable.


Recommendations
- ---------------

We  recommend to upgrade slocate package to the fixed version.

If  obtaining the list of all files on the system by unauthorized user
is  security  risk  for  your  system  we  recommend to remove slocate
database  and  disable automatic generation of this database (as daily
cron  job)  or  remove  slocate utility or generate database only from
safe files until fixed version is installed.


References
- ----------

This security advisory:
http://www.ebitech.sk/patrik/SA/SA-20031006.txt


Contact
- -------

Patrik Hornik
- --
Security Consultant

Email: patrik.hornik@ebitech.sk
Phone: +421 905 385 666
PGP KeyID: DFA5BC67

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2i

iQA/AwUBP4GiISTdn3LfpbxnEQL15ACgufs5R/lwY0VgLoBYZQDXEMPho0IAmwZi
rx2AbvKgd9w+C4l4r+l7eulc
=Kp2V
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC