Vulnerability Development mailing list archives
Re: Local root through vulnerability in ping on linux.
From: Ronald Huizer <ronald () GRAFIX NL>
Date: Tue, 22 Aug 2000 13:22:46 -0000
Hi, the problem seems to be existent in the iputils-20000121-2 package and perhaps later (I haven't verified this). The -s size command line parameter to specify the packet size only overflows it's outpack[65536] buffer when ping is run as root (I guess Zalewsky already pointed this out in a small remark). Even if ping can be tricked into "believing" that root executed it, I still don't see how the program could be possibly exploited (on buggy kernels it's possible to do silly stuff such as setuid(0) in the shellcode, but as out beloved whitehat gerrie mansur already pointed out, it was running on a .16 kernel). Ping normally fills outpack[] with incrementing byte values (it just writes back it's internal counter to the package - see source for this) and overflows the char *hostname with it, which is makes ping segfault, since printf() uses hostname as an argument and hostname now points to an illegal virtual memory address. Even if there was interesting information in global data structures we overflow, we still will not be able to get in it what we want - I tried to use -p 41414141 or so for this sake, but as soon as the pattern gets specified the F_PINGFILLED flag gets set, fill() is called and the byte by byte for loop copy ping makes gets skipped. Fill() doesn't overflow it's target buffer (well, it does, there is an off by one dword error in it, but it doesn't overwrite anything neat). Someone out there who still thinks this is exploitable? Hope this helps, -- Scrippie/ronald () grafix nl
Current thread:
- Re: Local root through vulnerability in ping on linux., (continued)
- Re: Local root through vulnerability in ping on linux. Martin MaD Douda (Aug 21)
- Re: Local root through vulnerability in ping on linux. Misa (Aug 21)
- Re: Local root through vulnerability in ping on linux. Goense, Jacob (Aug 20)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)
- Re: Local root through vulnerability in ping on linux. Rodrigo Barbosa (aka morcego) (Aug 21)
- Re: Local root through vulnerability in ping on linux. Murvai-Buzogany Laszlo (Aug 21)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 21)
- Re: Local root through vulnerability in ping on linux. Daniel Jacobowitz (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Hue-Bond (Aug 21)
- Re: Local root through vulnerability in ping on linux. Ronald Huizer (Aug 22)
- Re: Local root through vulnerability in ping on linux. geoff (Aug 22)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 22)
- Re: Local root through vulnerability in ping on linux. Matt Wilson (Aug 23)
- Re: Local root through vulnerability in ping on linux. mmurray (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Daniel Roesen (Aug 22)