Bugtraq mailing list archives
Re: TracerouteNG - never ending story
From: Thomas Biege <thomas () suse de>
Date: Wed, 4 Dec 2002 11:22:20 +0100 (CET)
Hi everyone,
Hi.
I want to provide some additional information about the recently discovered traceroute-ng flaw. I decided to disclose to details right now because I do not believe that the flaw is easily exploitable. 1) The vulnerablilty. The patch provided by vendors like SuSE is not sufficient. It only closed one of at least 3 different holes.
Ok, let's see...
Hole #1 : (closed in the recent patch) --------------------------------------
As you already said: It's fixed. thomas@Wintermute:~> /usr/sbin/traceroute -P -q 1 -n $(perl -e 'print"0"x13000')127.0.0.1 traceroute to 000000000000000000000000000000000000000000000000000000000000000 (87.0.0.1), 30 hops max, 40 byte packets 1 172.16.0.1 1 ms 2 145.253.1.203 21 ms 3 145.253.16.65 29 ms 4 145.254.12.13 38 ms 5 145.254.12.53 46 ms thomas@Wintermute:~>
Hole #2 : --------- (gdb) r -P -q 1 -n -S -999999 -m 0 localhost
It's fixed now.
Hole #3: -------- Just run with the following arguments: (gdb) r -P -q 999 -n localhost
Does not seem to work. thomas@Wintermute:~> /usr/sbin/traceroute -P -q 999 -n localhost nprobes must be >0 and <= 256 thomas@Wintermute:~>
So one can overwrite consecutive memory blocks of type struct { u_long dport; /* check for matching dport */ u_char ttl; /* ttl we sent it to */ u_char type; /* icmp response type */ struct timeval out; /* time packet left */ struct timeval rtn; /* time packet arrived */ struct sockaddr_in from; /* whom from */ } spray starting at the address of 'spray' (which is again located in the heap) with the values stored in out, dport, ttl. So far I looked at this, nothing really sensefull can be overwritten this way. Two candidates are: [a] the socket descriptor s, which is later used by FD_SET (instant memory writer... :-)
The only FD_SET() I found: FD_SET(sock, &fds); Socket s occurs here: s = socket(AF_INET, SOCK_RAW, pe->p_proto) // ICMP socket and here: s = socket(hp->h_addrtype, SOCK_STREAM, 0) So, can you be more precise on this?
- (un)fortunately the system time is stored in s by overflowing the spray array :-)
?
Summary ------- The are still vulnerabilities in the traceroute-ng package which may lead to a local root compromise, depending on the actual OS running on.
traceroute-nanog drops root privileges right after allocating the raw ip- and the raw icmp-socket. So, the attacker does not get root privileges.
Anyway, in my opinion the code of traceroute-ng breaks with many fundamental secure coding practices, it is hard to believe that such crap has been included on major distributions carrying the suid bit.
It uses setuid() and isn't shipped anymore since 8.1. --- And now the things Carl Livitt <carl () learningshophull co uk> founds.
while ((n = read(s, buf, sizeof(buf))) > 0) { strcpy((char *)&reply[count],(char *)buf); count += n; }
This one is already fixed.
strncpy(tmp4,i,(j-i)); // OVERFLOW tmp4[j-i] = '\0';
This buffer overflow was already found by Sebastian Krahmer <krahmer () suse de>. The fix is included in the upcoming traceroute-nanog security update. Bye, Thomas -- Thomas Biege <thomas () suse de> SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka" Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83 -- Over thinking, Over analyzing, seperates the body from the mind. - Maynard James Keenan
Current thread:
- Re: TracerouteNG - never ending story Thomas Biege (Dec 05)