Re: Local root through vulnerability in ping on linux.

[Ronald Huizer <ronald () GRAFIX NL>]

Hi,

the problem seems to be existent in the iputils-20000121-2
package and perhaps later (I haven't verified this).
The -s size command line parameter to specify the packet
size only overflows it's outpack[65536] buffer when ping is
run as root (I guess Zalewsky already pointed this out in a
small remark).

Even if ping can be tricked into "believing" that root
executed it, I still don't see how the program could be
possibly exploited (on buggy kernels it's possible to do
silly stuff such as setuid(0) in the shellcode, but as out
beloved whitehat gerrie mansur already pointed out, it was
running on a .16 kernel).

Ping normally fills outpack[] with incrementing byte values
(it just writes back it's internal counter to the package -
see source for this) and overflows the char *hostname with
it, which is makes ping segfault, since printf() uses
hostname as an argument and hostname now points to an
illegal virtual memory address. Even if there was
interesting information in global data structures we
overflow, we still will not be able to get in it what we
want - I tried to use -p 41414141 or so for this sake, but
as soon as the pattern gets specified the F_PINGFILLED flag
gets set, fill() is called and the byte by byte for loop
copy ping makes gets skipped. Fill() doesn't overflow it's
target buffer (well, it does, there is an off by one dword
error in it, but it doesn't overwrite anything neat).
Someone out there who still thinks this is exploitable?

Hope this helps,

-- Scrippie/ronald () grafix nl