Date: Sun, 20 Sep 1998 11:06:37 -0700 From: Crispin Cowan <crispin@CSE.OGI.EDU> Subject: Re: Locate overflow / Promiscuous mode / Posting tips To: BUGTRAQ@NETSPACE.ORG David J. Meltzer wrote: > The overflow in locate was reported to bugtraq at least on 3/6/98 by > Michal Zalewski (http://www.geek-girl.com/bugtraq/1998_1/0351.html). Thanks for the reference. And your point about researching before posting is well-taken, so I did some this time. There have been several vulnerabities associated with locate: * It reads everyone's private files, so you can see their file names. Fixed long ago. * There is a racecondition in updatedb that allows the attacker to corrupt the /var/lib/locatedb file. The primary vulnerability allowed you to trick updatedb into creating a world-writable root-owned file. However, it also allowed you to corrupt the locatedb file by filling it with junk, causing a seg fault in the locate command. The vulnerability I reported is new: you create a completely legitimate (if rather pathological) directory tree, and wait for the updatedb program to index it. The updatedb runs to completion, is not interfered with, and has produced a perfectly legitimate locatedb file, save that one of it's entries is very large. Only the locate command is affected, which seg faults when run against this locatedb file. I call this vulnerability "new" because the previous vulnerability (presumably) has been fixed, and my locate 4.1 is still vulnerable to this problem. Work-around: don't run 'locate' as root. Instead, use a lower-privilige shell when trying to locate things. StackGuard: Unfortunately, it appears that the overflows in bash and locate are unaffected by StackGuard protection. Without looking at the source, I'm guessing that the buffers that are being overflowed are heap buffers. StackGuard IS effective in protecting tcsh from this attack: tcsh dies with a stackguard warning when it tries to cd into MiG's pathological directory tree. Anyone have a long-path exploit for tcsh handy? I have not been able to find one. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98