![[LWN Logo]](/images/lwn.banner.gif)
Date: Sun, 20 Sep 1998 11:06:37 -0700
From: Crispin Cowan <crispin@CSE.OGI.EDU>
Subject: Re: Locate overflow / Promiscuous mode / Posting tips
To: BUGTRAQ@NETSPACE.ORG
David J. Meltzer wrote:
> The overflow in locate was reported to bugtraq at least on 3/6/98 by
> Michal Zalewski (http://www.geek-girl.com/bugtraq/1998_1/0351.html).
Thanks for the reference. And your point about researching before posting is
well-taken, so I did some this time.
There have been several vulnerabities associated with locate:
* It reads everyone's private files, so you can see their file names. Fixed
long ago.
* There is a racecondition in updatedb that allows the attacker to corrupt
the /var/lib/locatedb file. The primary vulnerability allowed you to trick
updatedb into creating a world-writable root-owned file. However, it also
allowed you to corrupt the locatedb file by filling it with junk, causing a
seg fault in the locate command.
The vulnerability I reported is new: you create a completely legitimate (if
rather pathological) directory tree, and wait for the updatedb program to index
it. The updatedb runs to completion, is not interfered with, and has produced a
perfectly legitimate locatedb file, save that one of it's entries is very
large. Only the locate command is affected, which seg faults when run against
this locatedb file.
I call this vulnerability "new" because the previous vulnerability (presumably)
has been fixed, and my locate 4.1 is still vulnerable to this problem.
Work-around: don't run 'locate' as root. Instead, use a lower-privilige shell
when trying to locate things.
StackGuard: Unfortunately, it appears that the overflows in bash and locate are
unaffected by StackGuard protection. Without looking at the source, I'm
guessing that the buffers that are being overflowed are heap buffers.
StackGuard IS effective in protecting tcsh from this attack: tcsh dies with a
stackguard warning when it tries to cd into MiG's pathological directory tree.
Anyone have a long-path exploit for tcsh handy? I have not been able to find
one.
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Support Justice: Boycott Windows 98