Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local root through vulnerability in ping on linux.

From: "Goense, Jacob" <Jacob.Goense () KPNQWEST COM>
Date: Sun, 20 Aug 2000 20:36:21 +0200
Gerrie wrote on 19 August 2000 12:18 To VULN-DEV () SECURITYFOCUS COM: 


Again some blackhats have a zeroday exploits in their hands.


How unethical of them! Don't they believe in full disclosure anymore?


It's exploits a bug in the linux kernel by using ping, does 
someone have
more info?


Unfotunately I am not aware of any kernel issues concerning ping, but
maybe the following is usefull for you or anyone else.

[root@localhost /root]# uname -a
Linux localhost.localdomain 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686
unknown
[root@localhost /root]#
[root@localhost /root]# ping -c 1 -s 100 localhost
PING localhost.localdomain (127.0.0.1) from 127.0.0.1 : 100(128) bytes of
data.
108 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.0 ms

--- localhost.localdomain ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@localhost /root]#
[root@localhost /root]# ping -c 1 -s 65689 localhost
WARNING: packet size 65689 is too large. Maximum is 65507
PING 'ô@Èüÿ¿ ¡ (127.0.0.1) from 127.0.0.1 : 65689(65717) bytes of data.
ping: sendto: No buffer space available
ping: wrote 'ô@Èüÿ¿ ¡ 65697 chars, ret=-1

--- 'ô@Èüÿ¿ ¡ ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@localhost /root]#
[root@localhost /root]# ping -c 1 -s 65690 localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
[root@localhost /root]#
[root@localhost /root]# gdb ping core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
Core was generated by `ping -c 1 -s 65690 localhost'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
#0  0x4005e72a in _IO_vfprintf (s=0x40104c60, format=0x804b40b "PING %s (%s)
", ap=0xbffffb38) at vfprintf.c:1259
1259    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x4005e72a in _IO_vfprintf (s=0x40104c60, format=0x804b40b "PING %s (%s)
", ap=0xbffffb38) at vfprintf.c:1259
#1  0x40064f70 in printf (format=0x804b40b "PING %s (%s) ") at printf.c:31
#2  0x8049b49 in alarm ()
#3  0x400301eb in __libc_start_main (main=0x8048de0 <alarm+276>, argc=6,
argv=0xbffffd14, init=0x80489dc,
    fini=0x804af9c <alarm+8912>, rtld_fini=0x4000a610 <_dl_fini>,
stack_end=0xbffffd0c) at ../sysdeps/generic/libc-start.c:90
(gdb) info registers
eax            0x0      0
ecx            0xffffffff       -1
edx            0xbffffb0f       -1073743089
ebx            0x4010648c       1074816140
esp            0xbffff484       0xbffff484
ebp            0xbffffb10       0xbffffb10
esi            0xbfff9998       -1073768040
edi            0xbfff9998       -1073768040
eip            0x4005e72a       0x4005e72a
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
(gdb)


Regards,

-- 
----------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: