__________________________________________________ 
 
USG Security Advisory 
http://www.usg.org.uk/advisories/2003.001.txt 
inkubus@hushmail.com 
USG- SA- 2003.001 24- Jan- 2003 
__________________________________________________ 
 
Package: slocate 
Vulnerability: local buffer overflow 
Type: local 
Risk: high, users can gain high privileges in the system. 
System tested: RedHat Linux 7.3 (Valhalla) with slocate-2.6-1 from RPM 
Credits: Knight420, Team TESO, Michal Zalewski, Aleph1, dvdman 
 
Description: 
Accordingly to research done by USG team members and Knight420 who informed us 
about this vulnerability a week earlier, there is a local buffer overflow in th
e slocate package 
shipped with the most newer RedHat distributions, we have tested the vulnerabil
ity only in RedHat 
Linux 7.2 and 7.3 but we think that other Linux/*nix systems that provide sloca
te package may be 
vulnerable too. 
The overflow appears when the slocate is  runned with two parameters: -c and -r
, using as arguments a 
1024 (or 10240, as Knight420 has informed us earlier) bytes string. 
[inkubus@USG audit]$ rpm -qf /usr/bin/slocate && ls -al /usr/bin/slocate 
slocate-2.6-1 
-rwxr-sr-x    1 root     slocate     25020 Jun 25  2001 /usr/bin/slocate 
[inkubus@USG audit]$ /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl 
-e "print 'A' x 1024"` 
Segmentation fault 
[inkubus@USG audit]$ gdb /usr/bin/slocate 
GNU gdb Red Hat Linux (5.1.90CVS-5) 
Copyright 2002 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you are 
welcome to change it and/or distribute copies of it under certain conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for details. 
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)..
. 
(gdb) r -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"` 
Starting program: /usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e 
"print 'A' x 1024"` 
warning: slocate: could not open database: /var/lib/slocate/slocate.db: Permiss
ion denied 
warning: You need to run the 'updatedb' command (as root) to create the databas
e. 
warning: slocate: decode_db(): ÐßBÐßBØßBØßBàßBàßBèßBèßBðßBðßBøßBøßB: No such fi
le or directory 
warning: You need to run the 'updatedb' command (as root) to create the databas
e. 
(no debugging symbols found)...(no debugging symbols found)...(no debugging sym
bols found)... 
Program received signal SIGSEGV, Segmentation fault. 
0x42080b1b in strlen () from /lib/i686/libc.so.6 
(gdb) 
 
The exploitation is trivial, we have coded already a POC exploit that will be p
ublished to the bugtraq 
next days. 
The author has been notified via: klindsay@mkintraweb.com 
 
------------------------------------------------------------------- 
inkubus@hushmail.com 
Resistance is futile, you will be assimilated. 
------------------------------------------------------------------- 
EOF