Re: traceroute-4.4BSD (slack) heap overflow

[Techno Bob <tbob () TECHIE COM>]

------Original Message------

Hi,

A while ago I was studying the source code for this traceroute... I found
this in the inetname function:

....
static char line[50];
....
if (cp)
(void) strcpy(line, cp);
else {
....

The cp variable holds at that point the hostname for the current host it's
tracing. If the hostname is something like a little bit bigger than 4096+50
chars it will overflow some other variables from the heap. You can easily
check this out by modifying your /etc/hosts, I remember I made it segfault,
tho I don't remember exactly how. Anyway, I debugged it and ltraced for a
couple of hours and I doubt an exploit could be done, especially given the
fact that it's a hostname we're overflowing. So, I thought I'd post it here,
maybe someone thinks of a way to actually do something with this.

-----------------------

I actually spotted somthing very much like this recently whilst writing a
traceroute-like program - but I assumed I was looking at an old version and
this would've been fixed by now.
I'm not entirely sure _how_ you would exploit this, which is probably why
they made it static rather than local.
The function inetname actually returns the overflowed buffer "line" which is
printed by printf as %s. Because printf() FILE structures are held in the
heap you could overwrite the FILE structure to point to any file (as
traceroute is root) to be overwritten with the string "line".
Or I could be totally wrong.
Anyway, if everyone knows whether I'm right, or just totally young, wrong
and naive I'd like to know.

Thanx
TBob
"Veni Vermini Vomui"

PS
Aplogigies to Cristi as I originally sent this to him personally by mistake.


______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup