Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   slocate Vendors:   Lindsay, Kevin
slocate '-r' Buffer Overflow Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1009107
SecurityTracker URL:
CVE Reference:   CVE-2003-0056   (Links to External Site)
Date:  Feb 18 2004
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): prior to 2.7
Description:   In January 2003, a buffer overflow vulnerability was reported in slocate. A local user can gain elevated privileges on the target system.

USG reported that a local user can supply a specially crafted value with the '-c' and '-r' command line parameters to trigger the overflow and execute arbitrary code.

The report indicates that slocate is configured with set group id (setgid) 'slocate' group privileges [at least on some systems]. Therefore, a local user can gain elevated privileges on the system.

Impact:   A local user can execute arbitrary code with 'slocate' group privileges.
Solution:   The vendor has released a fixed version (2.7), available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [USG- SA- 2003.001] USG Security Advisory (slocate)

From:       inkubus () hushmail ! com
Date:       2003-01-24 15:27:27



USG Security Advisory
USG- SA- 2003.001 24- Jan- 2003

Package: slocate
Vulnerability: local buffer overflow
Type: local
Risk: high, users can gain high privileges in the system.
System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM
Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman

Accordingly to research done by USG team members and Knight420 who informed us about \
this vulnerability a week earlier, there is a local buffer overflow in the slocate \
package shipped with the most newer RedHat distributions, we have tested the \
vulnerability only in RedHat Linux 7.2 and 7.3 but we think that other Linux/*nix \
systems that provide slocate package may be vulnerable too. The overflow appears when \
the slocate is  runned with two parameters: -c and -r, using as arguments a 1024 (or \
10240, as Knight420 has informed us earlier) bytes string. [inkubus@USG audit]$ rpm \
-qf /usr/bin/slocate && ls -al /usr/bin/slocate slocate-2.6-1
- -rwxr-sr-x    1 root     slocate     25020 Jun 25  2001 /usr/bin/slocate
[inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e \
"print 'A' x 1024"` Segmentation fault
[inkubus@USG audit]$ gdb /usr/bin/slocate
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
(gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`
Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print \
                 'A' x 1024"`
warning: slocate: could not open database: /var/lib/slocate/slocate.db: Permission \
warning: You need to run the 'updatedb' command (as root) to create the database.
warning: You need to run the 'updatedb' command (as root) to create the database.
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols \
found)... Program received signal SIGSEGV, Segmentation fault.
0x42080b1b in strlen () from /lib/i686/

The exploitation is trivial, we have coded already a POC exploit that will be \
published to the bugtraq next days. The author has been notified via: \

- -------------------------------------------------------------------
Resistance is futile, you will be assimilated.
- -------------------------------------------------------------------
Version: Hush 2.2 (Java)
Note: This signature can be verified at



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC