ping

[brian () saturn net (Brian Mitchell)]

There is a (somewhat difficult to exploit) security hole in the ping program
(NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based
unixes, but I have not checked.

pr_addr() has a buffer overflow which makes it possible to execute arbitrary
code. You do need a local account, unless you know someone on the system is
always doing a ping -v somehost, in which case it may be done remotely.

Here is the code in question:

/*
 * pr_addr --
 *      Return an ascii host address as a dotted quad and optionally with
 * a hostname.
 */
char *
pr_addr(l)
        u_long l;
{
        struct hostent *hp;
        static char buf[80];

        if ((options & F_NUMERIC) ||
            !(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
                (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
        else
                (void)sprintf(buf, "%s (%s)", hp->h_name,
                    inet_ntoa(*(struct in_addr *)&l));
        return(buf);
}

This function is called when ping is running in -v mode (verbose) and it
recieves a non-echo related icmp packet.

Something like this should take care of it, I would guess:

998c998
<               (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
---
>               (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr
*)&l));1000c1000
<               (void)sprintf(buf, "%s (%s)", hp->h_name,
---
>               (void)snprintf(buf, 75, "%s (%s)", hp->h_name,



Brian Mitchell                                          brian () saturn net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman