------=_Part_3282_18800747.1053371779906
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
dis advisory contains many a ascii diagram so it is attached in .txt
-bazarr
------=_Part_3282_18800747.1053371779906
Content-Type: text/plain; name=bazarr-slocate-adv.txt
Content-Transfer-Encoding: 7bit
Content-Disposition: ATTACHMENT; filename=bazarr-slocate-adv.txt
/* slocate <= x.x integer overflow advisory!!! */
/* by: bazarr */
/* bazarr@ziplip.com */
/* bazarr episode #1 */
------------------------
PREFACE
today after i got home from soccer practice (i am the only male cheer leader on the team. the only cheer leader on the
team at all actually) and everytime i asked the coach to let me play the, coach kept saying i fight for
'the pink team'. whatever that means. feeling sad that we lost against the lilly pads and my mom dident
buy me spy kids 2 for dvd. i came home and was clicking and pointing around everywhere on my laptop
and i came across slocate.
seeing the 'secure' in its name i figured i was safe from EVIL. I WAS WRONG
lets take a look at vendor info:
Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding
just like GNU locate to compress its database to make searching faster, but it will also store file permissions and
ownership so that users will not see files they do not have access to. It is a bit slower than the GNU locate, but
thats the price for security.
------------------------
BEEF
after trying numerous perl -e attemps to hack slocate i decided this time
i actually have to look at the src code. after seeing the revolutionary phrack artical
i learned that new integer overflow attack or int too big attack
is becomming very very popular. i decided to grep main.c of slocate
for all lines conatining word 'int' i came across the function
parse_decode_path(). this function contains numerous int type varibles.
all wid possibility for int too big attack
lets take a look at source code:
void
parse_decode_path(char *path)
{
char *pathcopy;
char *part;
int i;
int res_errno;
/* Make sure path is not empty */
if (!path || strlen(path) == 0) return;
/* Check how many paths are currently in the string. */
i = 1;
part = path;
while ((part = strchr(part+1, ':'))) i++; //dis
/* Allocate enough space to fit existing paths plus new one */
SLOCATE_PATH = malloc(i * sizeof(char *)); //dis be it right here
if (!SLOCATE_PATH)
report_error(FATAL,QUIET,"%s: parse_decode_path: 'SLOCATE_PATH': malloc: %s\n",progname,strerror(errno));
pathcopy = malloc(strlen(path)+1);
if (!pathcopy)
report_error(FATAL,QUIET,"%s: parse_decode_path: 'pathcopy': malloc: %s\n",progname,strerror(errno));
strcpy(pathcopy,path);
....
while (part) {
/* Make sure the path is valid */
if (!(res_errno = validate_db(part)))
SLOCATE_PATH[i++] = part;
else {
if (res_errno == -1)
report_error(WARNING,QUIET,"%s: this is not a valid slocate database:
%s\n",progname,part);
else
report_error(WARNING,QUIET,"%s: could not open database: %s:
%s\n",progname,part,strerror(res_erres_errno));
}
/* Get next path */
part = strtok(NULL, ":");
}
....
}
.....
main (int argc,char **argv) {
.....
parse_decode_path(getenv("LOCATE_PATH"));
.....
}
who can also see the int too big attack possiblilty here?
while ((part = strchr(part+1, ':'))) i++;
we can control 'part' so we can make 'i' as big as we want!
den it go like dis
SLOCATE_PATH = malloc(i * sizeof(char *));
if we can get more den 536870912 ':'s into path we can force it to malloc TOO LOW.
its working like dis:
| _
| _.-' ) dis dead bear represents malloc
| (_ , '\ __ he od'd on dxm and coke
| \__^/` _)
| .-'_ \
| (_.' \ '--.
| /_ /`-._/
| (__/
| (__) dis cow represents what figure 1 is sposed to malloc.
| OO )_______ dis cow is obvisouly healthy but hes high on weed
| |_/\ |\ and lsd. notice his pupils very big. and he look paranoid.
| ||___ | \
| || W||
| \\ dis rabbit represents what figure 1 (dead bear) might malloc in case of 'int too big' attack
| \\_ dis rabbit is very small cannot and go pound for pound wid a big buffer.
| .---(')
| o( )_-\_
it has come to attention that not all linux kernel allow 536870912 bytes of arguments
for programs over command line. i know many a people who have argument list problems
have recompiled dey kernel redefining MAX_ARG_PAGES to a bigger value wich let them
put 536870912 bytes into program arg list. for dose certain people. dey vuln
to dis bug wich could let a hacker gain root on machine.
------------------------
PATCH
slocate needs to check to make sure value of 'i' is not > SLOCATE_CODER_DEFINE_DIS
before it mallocs to 'i' * 4. (NOTE: 4 is sizeof(char*))
------------------------
END NOTES
obvisously not everyone vuln to dis bug and many others like it.
but someone out dare might just find themselfs wid no /var/log
cuz a hacker gained root and used the rm(1) program to rm all files
in directory. dis is not as far fetched as it seem. dis is not sposed
to alarm da whole world but it sposed to spark conversation.
thank you, send fan mail to bazarr@ziplip.com, plz angry blackhats
do not send hate mail , i know i just exposed a bug wich you probly been
using for long time to gain root on machines, but its time for this bug
to come forward.
------------------------
ADVANCE WARNING
xploit for popular program shipped wid debian by default
wich allow hackers to gain root is comming soon. but only if bugtraq
take me seriously. i am very serious security researcher
i want nothing more den to help the security world. i know some people
think i am a little bazarr but that is just me cuz i am bazarr.
im also comming out wid documentry series on ring member species.
the inner ring member species is a select group sharing information/xploits.
and somtimes they xploit double free bugs in ftpd's. and off by one qpoppers.
the documentry will be covering der tribulistic riturals.
including mating ritural wich is very rare information.
dis is an actual photograph of many inner ring member gathering from many tribes:
\\\|||/// \\\|||/// \\\|||/// __
. ======= . ======= ======= _/o \ //
/ \| o O | /|\| O o | | O o | /_ | |//|/
\ / \ _'/-[hear about] \|/ \ -'/-[ya whanna] \ -'/-[im workin on] [GOB]- W\ / |/////
# _| |_ [proftpd] # _| |_ [work on it] _|T|_ [the qpop] [GOBBLE] \ \ __________||//|/
(#) ( ADM ) [bug?] (#) ( SYN ) [with me?] ( E ) [bug now] [GOB] \ \/ GOBBLES /|-//-
#\//|* *|\\ #\//|* *|\\ //| S |\\ | _____ /-
#\/( * )/ #\/( * )/ \( O )/ | _____ /
# ===== # ===== ===== \ _____ /
# (\_/) # (\_/) (\_/) \_/ \___/
# || || # || || || || \ //
#---'| |----. .#---'| |----. .----'| |----. ||||
#----' -----' #----' -----' '-----' '-----' Z_>>
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
the purpose of the documentry is to familarize wid the general public
wid inner ring members(our idles). the documentry is for the little guy like myself. who has
no connection to da scene but hes interested in popular ring member activitys.
i am pioneering the first interactions between dees rare creatures and the average public.
but i been using der xploits so long i feel like we all best friends.
more to come on dis subject soon.
------------------------
PAST ACCOMPLISHMENTS
i have xploited gera's abo1-10(NOT INCLUDING 2,8,9,10,7,4).c,
i dont understand semaphores,
and dont really know what posix stands for(seriously).
and thats really da end of accomplishments.
------------------------
GREETS
ron1n - i spent 2 days d/ling gobbles speech(56k) , he said your lonely, i'll be your friend.
but im kind of dumb(seriously) so i dunno if you whanna be my friend.
but the whole script kiddie class of 2001 loved remorse.c(i was one of the kids it got leaked to!)
i got da backdoored binary.
i found a possibly xploitable bug in prerr.c of remorse.tar.gz!
dis issue needs to be addressed:
vsnprintf(msg, sizeof msg, fmt, va); //HACKLOG if i can control 'fmt' dis is owned
va_end(va); //HACLOG i dunno what dis does
if(perr) {
/* Not my problem... */
snprintf(msg + strlen(msg), sizeof msg - strlen(msg), ": %s", strerror(serrno));
}
what dif msg dont get nulld! and den sizeof msg - strlen msg
possibly could go negative since msg is on da stack and you never know what be around it,
den since size argument to snprintf is a size_t it will go whacko big!
then it overflow wid strerror(savederrno). i'll mail you wid da bug fix.
in older unixes somtimes strerror might return NULL on error so dis might be local DoS
we can make a small fort out of my parents couch and play twister if you come over.
we can w8 outside gas stations askin people to get us some old english(malt liqor)
i live in da same city as jimjonez so just get an airplane ticket and we'll have a slumber party
just tell my parents you 18 cuz they gunna think its wierd when 20 years old comes to sleep over wid 16 year old boy
n1nor , remorse.c is one of the reasons i tried to learn to code(STILL DONT UNDERSTAND SYS V MESSAGE QUEUES).
so thank you ron1n cuz you cool.
------------------------
BYE
hopefully you be seeing more of me. i am one man team
wid myself working on many a xploit and many a advisory(SERIOUSLY).
i will be helping to bring many more bleeding edge security vulnerabilitys
just like dis one to dis security community. but for now i have to leave
my mom is making me some grilld cheese sandwiches wid grape coolaide
but only if i clean my room(seriously). so bye guys
.=.
//(`)_
//`\/ |\ O`\\
||-.\_|_/.-||
)/ |_____| \(
O # / \ # O
(| 0 o |)
|` * |
O.__.\---/.__.O
`._ `"` _.'
/ ; \ \
O'-' )/`'-0
O` the sad borderline homosexual clown. bazarr.
------=_Part_3282_18800747.1053371779906--
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
