Bugtraq mailing list archives

Re: Very interesting traceroute flaw

From: Casper Dik <Casper.Dik () HOLLAND SUN COM>
Date: Fri, 29 Sep 2000 12:47:43 +0200

I'm starting with a credit section because I did not discover this
flaw. The flaw was discovered by Pekka Savola <pekkas () netcore fi>, who
noted that traceroute could be caused to crash, which is pretty suboptimal
behaviour for a suid-root program :-) I took this forward and speculate
that in fact this very minor code flaw may well be exploitable.



Even though Solaris 7 and later include LBNL traceroute, the first
version of the source checked into SCCS has the following interesting
comment (this branch dates from 98/01/12):

                /*
                 * LBNL bug fixed: used to call savestr(), which was buggy
                 * it gives bus error when more than one -g used
                 * savestr.h removed
                 */

The code was completely removed when IPv6 support was integrated much
later.



Casper

Current thread:

Very interesting traceroute flaw Chris Evans (Sep 29)
- Re: Very interesting traceroute flaw Sylvain Robitaille (Sep 29)
- Re: Very interesting traceroute flaw Martin Peikert (Sep 29)
  - Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Casper Dik (Sep 29)
- Re: Very interesting traceroute flaw pedward (Sep 30)
  - Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Elias Levy (Sep 30)