Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local root through vulnerability in ping on linux.

From: geoff <geoff () cardboardtransmitter net>
Date: Tue, 22 Aug 2000 21:44:25 -0400
On Mon, 21 Aug 2000 18:06:28 +0200, you wrote:


El lunes 21 de agosto de 2000 a la(s) 10:26:34 +0200, Michal Zalewski contaba:


What about 'traceroute -g 127.0.0.1 127.0.0.1' and other combinations
(depending on DNS entry and IP number representation, you can cause many
interesting memory dumps or some SEGVs on RH 6.2 Linux box and many other
boxes as well)?


        Yes, certainly. This is a Debian 2.2:

$ /usr/sbin/traceroute -g 127.0.0.1 127.0.0.1
traceroute to  (127.0.0.1), 30 hops max, 46 byte packets
traceroute: sendto: Argumento inválido
1 traceroute: wrote WUJ¡9å 46 _ =1

        After this,  the chars in screen  got scrambled as if  you type
    ^V^N^M at the shell prompt. traceroute version 1.4a5-2 installed.



lcamtuf () tpi pl



[geoff@schubert geoff]$ uname -a
Linux schubert.nodecaf.com 2.2.14-15mdk #1 Tue Jan 4 22:24:20 CET 2000 i686
unknown
[geoff@schubert geoff]$ /usr/sbin/traceroute -g 127.0.0.1 255.255.255.255
Segmentation fault
[geoff@schubert geoff]$  /usr/sbin/traceroute -g 127.0.0.1 127.0.0.1    
traceroute to  (127.0.0.1), 30 hops max, 46 byte packets
traceroute: sendto: Invalid argument
 1 traceroute: wrote %H

,£9×2
 46 chars, ret=-1
 *traceroute: sendto: Invalid argument
traceroute: wrote gE

,£9?4
 46 chars, ret=-1

[geoff@schubert geoff]$

----

[geoff@devweb geoff]$ uname -a
Linux devweb.nodecaf.com 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
[geoff@devweb geoff]$ /usr/sbin/traceroute -g 127.0.0.1 255.255.255.255
Segmentation fault
[geoff@devweb geoff]$  /usr/sbin/traceroute -g 127.0.0.1 127.0.0.1
traceroute to  (127.0.0.1), 30 hops max, 46 byte packets
traceroute: sendto: Invalid argument
 1 traceroute: wrote R‚

Ò+£9ŒÚ
                                46 chars, ret=-1

[geoff@devweb geoff]$ 

-----

[geoff@snuggles geoff]$ uname -a
FreeBSD snuggles.nodecaf.com 4.0-20000307-CURRENT FreeBSD 4.0-20000307-CURRENT
#0: Wed Mar  8 00:14:33 GMT 2000
root () monster cdrom com:/usr/src/sys/compile/GENERIC  i386
[geoff@snuggles geoff]$ /usr/sbin/traceroute -g 127.0.0.1 127.0.0.1
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 48 byte packets
 1  * * *
 2  * * *
^C
[geoff@snuggles geoff]$ /usr/sbin/traceroute -g 127.0.0.1 255.255.255.255
traceroute to 255.255.255.255 (255.255.255.255), 30 hops max, 48 byte packets
 1  * * *
 2  * * *
^C
[geoff@snuggles geoff]$ 

-----

-- 
geoff

A UI is about making the computer's power easy to exploit, not about making new users feel comfortable.
  -- http://slashdot.org/comments.pl?sid=00/08/18/1711210&cid=83
Previous By Date Next
Previous By Thread Next

Current thread: