Re: traceroute-4.4BSD (slack) heap overflow

[Cristi Dumitrescu <cristid () CHIP RO>]

If you're using slackware, you'll find those lines close to the end of
traceroute.c.
The host is *not* given on the command line. It is resolved on the way. But,
as far as I know, there is no way to convince the resolver to pass anything
else besides 1-9, a-z, A-Z, . - and _. I don't know the maximum length and
I'm too lazy to search the sources and find it. Anyway, you would need more
than 4 KB to overwrite something useful and I doubt you could have such a
hostname.
I even tried to exploit it by using /etc/hosts and I could find no way to do
it. After a few hours of gdb-ing, I gave up.


----- Original Message -----
From: "Heinrich Langos" <heinrich () WH9 TU-DRESDEN DE>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, January 05, 2001 10:24 AM
Subject: Re: traceroute-4.4BSD (slack) heap overflow


> On Thu, Jan 04, 2001 at 06:08:03PM -0800, Cristi Dumitrescu wrote:
> > Hi,
> >
> > A while ago I was studying the source code for this traceroute... I
found
> > this in the inetname function:
> >
> > ...
> >         static char line[50];
> > ...
> >         if (cp)
> >                 (void) strcpy(line, cp);
> >         else {
> > ...
> >
> > The cp variable holds at that point the hostname for the current host
it's
> > tracing.
>
> is that the hostname given on the commandline or the hostname as it is
> resolved along the way ?
>
> if it is the second you could *maybe* expliot it if you are the
> administrator of a DNS server. making all those suckers pay for
> resolving your ip adress :-)
>
> no seriously. i'm not sure if the length is not limited by the average
> libresov or by the dns protocol. but not checking the length is a big
> "NO NO" ... considering that traceroute runs SIUD root!
>
> i'll download the sources of my traceroute and check if it also has
> this line of code.
>
> -heinrich