Subject: Possible buffer overflow bug in locate
To: None <firstname.lastname@example.org>
From: Rick Byers <rb-netbsd@BigScaryChildren.net>
Date: 08/01/2001 16:06:09
After reading some discussion on bugtraq about locate under Linux, I
took a look at NetBSD's locate. During the updatedb phase of /etc/weekly,
locate.db is owned by nobody, so it would be possible for someone to get
in there and modify it (since web servers often run CGIs as nobody).
Normally I wouldn't expect a modifitcation of the locate database to be a
real security problem, but there is atleast one place in the locate code
where a buffer on the stack could be overrun due to the contents of the
database. For example, on line 195 characters are read from the database
and copied into the 'path' buffer until one with value <= 30 is seen.
I admit it would probably be hard to build interesting assembly code with
all bytes between 30 and 128, but it could theoretically be exploited.
For example, it might be possible to have a few bytes that cause a jump to
the file buffer, which could then contain arbitrary code. Specifically,
an attacker could exec a script or another program which would bestow
setuid on a file if locate is being run as root. It might be tricky to
make locate behave properly afterwords, but probably not impossible.
At the very least, the buffer overflow potential in locate should be
fixed. I'll be happy to submit a patch if someone will commit it, but
it'll have to wait for a couple weeks (I really should be studying for my
finals). Ideally, there would be some way to construct the database
without it ever being writable by a non-root user. I find locate to be an
indespensible tool, and I often use it as root.