Vulnerability Development mailing list archives
Re: Local root through vulnerability in ping on linux.
From: "Goense, Jacob" <Jacob.Goense () KPNQWEST COM>
Date: Sun, 20 Aug 2000 20:36:21 +0200
Gerrie wrote on 19 August 2000 12:18 To VULN-DEV () SECURITYFOCUS COM:
Again some blackhats have a zeroday exploits in their hands.
How unethical of them! Don't they believe in full disclosure anymore?
It's exploits a bug in the linux kernel by using ping, does someone have more info?
Unfotunately I am not aware of any kernel issues concerning ping, but maybe the following is usefull for you or anyone else. [root@localhost /root]# uname -a Linux localhost.localdomain 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown [root@localhost /root]# [root@localhost /root]# ping -c 1 -s 100 localhost PING localhost.localdomain (127.0.0.1) from 127.0.0.1 : 100(128) bytes of data. 108 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.0 ms --- localhost.localdomain ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@localhost /root]# [root@localhost /root]# ping -c 1 -s 65689 localhost WARNING: packet size 65689 is too large. Maximum is 65507 PING 'ô@Èüÿ¿ ¡ (127.0.0.1) from 127.0.0.1 : 65689(65717) bytes of data. ping: sendto: No buffer space available ping: wrote 'ô@Èüÿ¿ ¡ 65697 chars, ret=-1 --- 'ô@Èüÿ¿ ¡ ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss [root@localhost /root]# [root@localhost /root]# ping -c 1 -s 65690 localhost WARNING: packet size 65690 is too large. Maximum is 65507 Segmentation fault (core dumped) [root@localhost /root]# [root@localhost /root]# gdb ping core GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... Core was generated by `ping -c 1 -s 65690 localhost'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. Reading symbols from /lib/libnss_files.so.2...done. #0 0x4005e72a in _IO_vfprintf (s=0x40104c60, format=0x804b40b "PING %s (%s) ", ap=0xbffffb38) at vfprintf.c:1259 1259 vfprintf.c: No such file or directory. (gdb) bt #0 0x4005e72a in _IO_vfprintf (s=0x40104c60, format=0x804b40b "PING %s (%s) ", ap=0xbffffb38) at vfprintf.c:1259 #1 0x40064f70 in printf (format=0x804b40b "PING %s (%s) ") at printf.c:31 #2 0x8049b49 in alarm () #3 0x400301eb in __libc_start_main (main=0x8048de0 <alarm+276>, argc=6, argv=0xbffffd14, init=0x80489dc, fini=0x804af9c <alarm+8912>, rtld_fini=0x4000a610 <_dl_fini>, stack_end=0xbffffd0c) at ../sysdeps/generic/libc-start.c:90 (gdb) info registers eax 0x0 0 ecx 0xffffffff -1 edx 0xbffffb0f -1073743089 ebx 0x4010648c 1074816140 esp 0xbffff484 0xbffff484 ebp 0xbffffb10 0xbffffb10 esi 0xbfff9998 -1073768040 edi 0xbfff9998 -1073768040 eip 0x4005e72a 0x4005e72a eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 (gdb) Regards, -- ----------------------------------------------------------------------
Current thread:
- Re: Local root through vulnerability in ping on linux., (continued)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 19)
- Re: Local root through vulnerability in ping on linux. Gerrie (Aug 20)
- Re: Local root through vulnerability in ping on linux. Tymm Twillman (Aug 20)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 20)
- Re: Local root through vulnerability in ping on linux. Samu (Aug 20)
- Re: Local root through vulnerability in ping on linux. Pedro Hugo (Aug 20)
- Re: Local root through vulnerability in ping on linux. Peter Batenburg (Aug 21)
- Re: Local root through vulnerability in ping on linux. PatrickM (Aug 21)
- Re: Local root through vulnerability in ping on linux. Martin MaD Douda (Aug 21)
- Re: Local root through vulnerability in ping on linux. Gerrie (Aug 20)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 19)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)
- Re: Local root through vulnerability in ping on linux. Rodrigo Barbosa (aka morcego) (Aug 21)
- Re: Local root through vulnerability in ping on linux. Murvai-Buzogany Laszlo (Aug 21)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 21)
- Re: Local root through vulnerability in ping on linux. Daniel Jacobowitz (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Hue-Bond (Aug 21)
- Re: Local root through vulnerability in ping on linux. Ronald Huizer (Aug 22)
- Re: Local root through vulnerability in ping on linux. geoff (Aug 22)