Bugtraq mailing list archives
ping
From: brian () saturn net (Brian Mitchell)
Date: Sun, 21 Jul 1996 16:08:28 -0400
There is a (somewhat difficult to exploit) security hole in the ping program (NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based unixes, but I have not checked. pr_addr() has a buffer overflow which makes it possible to execute arbitrary code. You do need a local account, unless you know someone on the system is always doing a ping -v somehost, in which case it may be done remotely. Here is the code in question: /* * pr_addr -- * Return an ascii host address as a dotted quad and optionally with * a hostname. */ char * pr_addr(l) u_long l; { struct hostent *hp; static char buf[80]; if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); else (void)sprintf(buf, "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } This function is called when ping is running in -v mode (verbose) and it recieves a non-echo related icmp packet. Something like this should take care of it, I would guess: 998c998 < (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); ---
(void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr
*)&l));1000c1000 < (void)sprintf(buf, "%s (%s)", hp->h_name, ---
(void)snprintf(buf, 75, "%s (%s)", hp->h_name,
Brian Mitchell brian () saturn net "I never give them hell. I just tell the truth and they think it's hell" - H. Truman
Current thread:
- HPUX sam_exec bogus technician (Jul 18)
- <Possible follow-ups>
- Re: HPUX sam_exec Matthew G. Harrigan (Jul 18)
- Re: HPUX sam_exec Kent Hamilton (Jul 19)
- quotas? maybe you're not seeing all of it Brett L. Hawn (Jul 21)
- whoops.. addendum Brett L. Hawn (Jul 21)
- ping Brian Mitchell (Jul 21)
- ping Brian Mitchell (Jul 21)