Re: TracerouteNG - never ending story

[Thomas Biege <thomas () suse de>]

> Hi everyone,

Hi.

> I want to provide some additional information about the recently
> discovered traceroute-ng flaw. I decided to disclose to details right
> now because I do not believe that the flaw is easily exploitable.
>
>
> 1) The vulnerablilty.
>
> The patch provided by vendors like SuSE is not sufficient. It only
> closed one of at least 3 different holes.

Ok, let's see...

> Hole #1 : (closed in the recent patch)
> --------------------------------------

As you already said: It's fixed.

thomas@Wintermute:~> /usr/sbin/traceroute  -P -q 1 -n $(perl -e 'print"0"x13000')127.0.0.1
traceroute to 000000000000000000000000000000000000000000000000000000000000000  (87.0.0.1), 30 hops max, 40 byte packets
 1  172.16.0.1  1 ms
 2  145.253.1.203  21 ms
 3  145.253.16.65  29 ms
 4  145.254.12.13  38 ms
 5  145.254.12.53  46 ms
thomas@Wintermute:~>


> Hole #2 :
> ---------
>
> (gdb) r -P -q 1 -n -S -999999 -m 0 localhost

It's fixed now.


> Hole #3:
> --------
>
> Just run with the following arguments:
>
> (gdb) r -P -q 999 -n localhost

Does not seem to work.

thomas@Wintermute:~> /usr/sbin/traceroute -P -q 999 -n localhost
nprobes must be >0 and <= 256
thomas@Wintermute:~>

> So one can overwrite consecutive memory blocks of type
>
> struct {
>         u_long  dport;          /* check for matching dport */
>         u_char  ttl;            /* ttl we sent it to */
>         u_char  type;           /* icmp response type */
>         struct  timeval out;    /* time packet left */
>         struct  timeval rtn;    /* time packet arrived */
>         struct  sockaddr_in from; /* whom from */
> } spray
>
> starting at the address of 'spray' (which is again located in the heap)
> with the values stored in out, dport, ttl. So far I looked at this,
> nothing really sensefull can be overwritten this way. Two candidates are:
>
> [a] the socket descriptor s, which is later used by FD_SET (instant
> memory writer... :-)

The only FD_SET() I found:
        FD_SET(sock, &fds);

Socket s occurs here:
        s = socket(AF_INET, SOCK_RAW, pe->p_proto)      // ICMP socket
and here:
        s = socket(hp->h_addrtype, SOCK_STREAM, 0)

So, can you be more precise on this?


> - (un)fortunately the system time is stored in s by
> overflowing the spray array :-)

?


> Summary
> -------
>
> The are still vulnerabilities in the traceroute-ng package which may
> lead to a local root compromise, depending on the actual OS running on.

traceroute-nanog drops root privileges right after allocating the raw ip-
and the raw icmp-socket. So, the attacker does not get root privileges.

> Anyway, in my opinion the code of traceroute-ng breaks with many
> fundamental secure coding practices, it is hard to believe that such
> crap has been included on major distributions carrying the suid bit.

It uses setuid() and isn't shipped anymore since 8.1.

---


And now the things Carl Livitt <carl () learningshophull co uk> founds.

> while ((n = read(s, buf, sizeof(buf))) > 0) {
>            strcpy((char *)&reply[count],(char *)buf);
>            count += n;
>        }

This one is already fixed.

> strncpy(tmp4,i,(j-i)); // OVERFLOW
>                 tmp4[j-i] = '\0';

This buffer overflow was already found by Sebastian Krahmer
<krahmer () suse de>. The fix is included in the upcoming traceroute-nanog
security update.

Bye,
     Thomas
-- 
  Thomas Biege <thomas () suse de>
  SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg
  Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
  Key fingerprint = 51 AD B9 C7 34 FC F2 54  01 4A 1C D4 66 64 09 83
-- 

  Over thinking, Over analyzing, seperates the body from the mind.
                                               - Maynard James Keenan