|
------=_Part_3282_18800747.1053371779906 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit dis advisory contains many a ascii diagram so it is attached in .txt -bazarr ------=_Part_3282_18800747.1053371779906 Content-Type: text/plain; name=bazarr-slocate-adv.txt Content-Transfer-Encoding: 7bit Content-Disposition: ATTACHMENT; filename=bazarr-slocate-adv.txt /* slocate <= x.x integer overflow advisory!!! */ /* by: bazarr */ /* bazarr@ziplip.com */ /* bazarr episode #1 */ ------------------------ PREFACE today after i got home from soccer practice (i am the only male cheer leader on the team. the only cheer leader on the team at all actually) and everytime i asked the coach to let me play the, coach kept saying i fight for 'the pink team'. whatever that means. feeling sad that we lost against the lilly pads and my mom dident buy me spy kids 2 for dvd. i came home and was clicking and pointing around everywhere on my laptop and i came across slocate. seeing the 'secure' in its name i figured i was safe from EVIL. I WAS WRONG lets take a look at vendor info: Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding just like GNU locate to compress its database to make searching faster, but it will also store file permissions and ownership so that users will not see files they do not have access to. It is a bit slower than the GNU locate, but thats the price for security. ------------------------ BEEF after trying numerous perl -e attemps to hack slocate i decided this time i actually have to look at the src code. after seeing the revolutionary phrack artical i learned that new integer overflow attack or int too big attack is becomming very very popular. i decided to grep main.c of slocate for all lines conatining word 'int' i came across the function parse_decode_path(). this function contains numerous int type varibles. all wid possibility for int too big attack lets take a look at source code: void parse_decode_path(char *path) { char *pathcopy; char *part; int i; int res_errno; /* Make sure path is not empty */ if (!path || strlen(path) == 0) return; /* Check how many paths are currently in the string. */ i = 1; part = path; while ((part = strchr(part+1, ':'))) i++; //dis /* Allocate enough space to fit existing paths plus new one */ SLOCATE_PATH = malloc(i * sizeof(char *)); //dis be it right here if (!SLOCATE_PATH) report_error(FATAL,QUIET,"%s: parse_decode_path: 'SLOCATE_PATH': malloc: %s\n",progname,strerror(errno)); pathcopy = malloc(strlen(path)+1); if (!pathcopy) report_error(FATAL,QUIET,"%s: parse_decode_path: 'pathcopy': malloc: %s\n",progname,strerror(errno)); strcpy(pathcopy,path); .... while (part) { /* Make sure the path is valid */ if (!(res_errno = validate_db(part))) SLOCATE_PATH[i++] = part; else { if (res_errno == -1) report_error(WARNING,QUIET,"%s: this is not a valid slocate database: %s\n",progname,part); else report_error(WARNING,QUIET,"%s: could not open database: %s: %s\n",progname,part,strerror(res_erres_errno)); } /* Get next path */ part = strtok(NULL, ":"); } .... } ..... main (int argc,char **argv) { ..... parse_decode_path(getenv("LOCATE_PATH")); ..... } who can also see the int too big attack possiblilty here? while ((part = strchr(part+1, ':'))) i++; we can control 'part' so we can make 'i' as big as we want! den it go like dis SLOCATE_PATH = malloc(i * sizeof(char *)); if we can get more den 536870912 ':'s into path we can force it to malloc TOO LOW. its working like dis: | _ | _.-' ) dis dead bear represents malloc | (_ , '\ __ he od'd on dxm and coke | \__^/` _) | .-'_ \ | (_.' \ '--. | /_ /`-._/ | (__/ | (__) dis cow represents what figure 1 is sposed to malloc. | OO )_______ dis cow is obvisouly healthy but hes high on weed | |_/\ |\ and lsd. notice his pupils very big. and he look paranoid. | ||___ | \ | || W|| | \\ dis rabbit represents what figure 1 (dead bear) might malloc in case of 'int too big' attack | \\_ dis rabbit is very small cannot and go pound for pound wid a big buffer. | .---(') | o( )_-\_ it has come to attention that not all linux kernel allow 536870912 bytes of arguments for programs over command line. i know many a people who have argument list problems have recompiled dey kernel redefining MAX_ARG_PAGES to a bigger value wich let them put 536870912 bytes into program arg list. for dose certain people. dey vuln to dis bug wich could let a hacker gain root on machine. ------------------------ PATCH slocate needs to check to make sure value of 'i' is not > SLOCATE_CODER_DEFINE_DIS before it mallocs to 'i' * 4. (NOTE: 4 is sizeof(char*)) ------------------------ END NOTES obvisously not everyone vuln to dis bug and many others like it. but someone out dare might just find themselfs wid no /var/log cuz a hacker gained root and used the rm(1) program to rm all files in directory. dis is not as far fetched as it seem. dis is not sposed to alarm da whole world but it sposed to spark conversation. thank you, send fan mail to bazarr@ziplip.com, plz angry blackhats do not send hate mail , i know i just exposed a bug wich you probly been using for long time to gain root on machines, but its time for this bug to come forward. ------------------------ ADVANCE WARNING xploit for popular program shipped wid debian by default wich allow hackers to gain root is comming soon. but only if bugtraq take me seriously. i am very serious security researcher i want nothing more den to help the security world. i know some people think i am a little bazarr but that is just me cuz i am bazarr. im also comming out wid documentry series on ring member species. the inner ring member species is a select group sharing information/xploits. and somtimes they xploit double free bugs in ftpd's. and off by one qpoppers. the documentry will be covering der tribulistic riturals. including mating ritural wich is very rare information. dis is an actual photograph of many inner ring member gathering from many tribes: \\\|||/// \\\|||/// \\\|||/// __ . ======= . ======= ======= _/o \ // / \| o O | /|\| O o | | O o | /_ | |//|/ \ / \ _'/-[hear about] \|/ \ -'/-[ya whanna] \ -'/-[im workin on] [GOB]- W\ / |///// # _| |_ [proftpd] # _| |_ [work on it] _|T|_ [the qpop] [GOBBLE] \ \ __________||//|/ (#) ( ADM ) [bug?] (#) ( SYN ) [with me?] ( E ) [bug now] [GOB] \ \/ GOBBLES /|-//- #\//|* *|\\ #\//|* *|\\ //| S |\\ | _____ /- #\/( * )/ #\/( * )/ \( O )/ | _____ / # ===== # ===== ===== \ _____ / # (\_/) # (\_/) (\_/) \_/ \___/ # || || # || || || || \ // #---'| |----. .#---'| |----. .----'| |----. |||| #----' -----' #----' -----' '-----' '-----' Z_>> """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" the purpose of the documentry is to familarize wid the general public wid inner ring members(our idles). the documentry is for the little guy like myself. who has no connection to da scene but hes interested in popular ring member activitys. i am pioneering the first interactions between dees rare creatures and the average public. but i been using der xploits so long i feel like we all best friends. more to come on dis subject soon. ------------------------ PAST ACCOMPLISHMENTS i have xploited gera's abo1-10(NOT INCLUDING 2,8,9,10,7,4).c, i dont understand semaphores, and dont really know what posix stands for(seriously). and thats really da end of accomplishments. ------------------------ GREETS ron1n - i spent 2 days d/ling gobbles speech(56k) , he said your lonely, i'll be your friend. but im kind of dumb(seriously) so i dunno if you whanna be my friend. but the whole script kiddie class of 2001 loved remorse.c(i was one of the kids it got leaked to!) i got da backdoored binary. i found a possibly xploitable bug in prerr.c of remorse.tar.gz! dis issue needs to be addressed: vsnprintf(msg, sizeof msg, fmt, va); //HACKLOG if i can control 'fmt' dis is owned va_end(va); //HACLOG i dunno what dis does if(perr) { /* Not my problem... */ snprintf(msg + strlen(msg), sizeof msg - strlen(msg), ": %s", strerror(serrno)); } what dif msg dont get nulld! and den sizeof msg - strlen msg possibly could go negative since msg is on da stack and you never know what be around it, den since size argument to snprintf is a size_t it will go whacko big! then it overflow wid strerror(savederrno). i'll mail you wid da bug fix. in older unixes somtimes strerror might return NULL on error so dis might be local DoS we can make a small fort out of my parents couch and play twister if you come over. we can w8 outside gas stations askin people to get us some old english(malt liqor) i live in da same city as jimjonez so just get an airplane ticket and we'll have a slumber party just tell my parents you 18 cuz they gunna think its wierd when 20 years old comes to sleep over wid 16 year old boy n1nor , remorse.c is one of the reasons i tried to learn to code(STILL DONT UNDERSTAND SYS V MESSAGE QUEUES). so thank you ron1n cuz you cool. ------------------------ BYE hopefully you be seeing more of me. i am one man team wid myself working on many a xploit and many a advisory(SERIOUSLY). i will be helping to bring many more bleeding edge security vulnerabilitys just like dis one to dis security community. but for now i have to leave my mom is making me some grilld cheese sandwiches wid grape coolaide but only if i clean my room(seriously). so bye guys .=. //(`)_ //`\/ |\ O`\\ ||-.\_|_/.-|| )/ |_____| \( O # / \ # O (| 0 o |) |` * | O.__.\---/.__.O `._ `"` _.' / ; \ \ O'-' )/`'-0 O` the sad borderline homosexual clown. bazarr. ------=_Part_3282_18800747.1053371779906--