Bugtraq mailing list archives

Re: ping

From: marekm () i17linuxb ists pwr wroc pl (Marek Michalkiewicz)
Date: Tue, 23 Jul 1996 01:30:36 +0200


Brian Mitchell:

There is a (somewhat difficult to exploit) security hole in the ping program
(NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based
unixes, but I have not checked.


[snip]

Something like this should take care of it, I would guess:

998c998
<               (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
---

              (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr

*)&l));1000c1000
<               (void)sprintf(buf, "%s (%s)", hp->h_name,
---

              (void)snprintf(buf, 75, "%s (%s)", hp->h_name,


Well, not all systems have snprinf :-(.  (It is in reasonably
current versions of *BSD and Linux libc, but not on many older
systems.)

Anyway, just wondering why the standard version of ping doesn't
do setuid(getuid()) right after socket(AF_INET, SOCK_RAW, ...).
No other code should need root privileges.  The version of ping
supplied with Debian Linux does this, with the added bonus that
ps shows who is running ping (instead of just showing "root").

While we are at ping bugs: at least some versions allow flooding
the network using the -l option as ordinary luser (just specify
a large number of packets to send quickly).  Again, Debian Linux
doesn't have this problem, but the original ping-5.9 does.

Regards,

Marek

Current thread:

HPUX sam_exec bogus technician (Jul 18)
- <Possible follow-ups>
- Re: HPUX sam_exec Matthew G. Harrigan (Jul 18)
  - Re: HPUX sam_exec Kent Hamilton (Jul 19)
  - quotas? maybe you're not seeing all of it Brett L. Hawn (Jul 21)
  - whoops.. addendum Brett L. Hawn (Jul 21)
  - ping Brian Mitchell (Jul 21)
    - Re: ping David Holland (Jul 22)
    - Re: ping Marek Michalkiewicz (Jul 22)
    - Re: ping Brian Mitchell (Jul 23)
  - ping Brian Mitchell (Jul 21)