Format String bug in TrACESroute 6.0 GOLD

[DownBload <downbload () hotmail com>]

           DownBload Security Research Lab Advisory
--------------------------------------------------------------------
Advisory name: format string bug in TrACESroute 
Advisory number: 4
Application: TrACESroute (traceroute program)
Version affected: 6.0 GOLD, and probably previous versions      
Date: 04.6.2002 
Impact: local user can gain root access 
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: downbload () hotmail com


Overview
--------
TrACESroute is just another traceroute program. TrACESroute use RAW SOCKET,
so it must be run under root account, and because of that, traceroute 
usually 
has attached suid bit. 


Problem
-------
TrACESroute is vulnerable to format string bug. This piece of code cause 
bug:
...
Fprintf(stdout,terminator);
...


Example
-------
Test this format string bug with:
./traceroute -T %s%s%s localhost


Solution
--------
If your users doesn't need traceroute, remove suid bit from it, or:
Replace this: 
...
Fprintf(stdout,terminator);
...
With this:
...
Fprintf(stdout,"%s",terminator);
...
Terminator is variable which can contain line-terminator chars. It can be 
changed with
-T option. Fprintf is just -> #define Fprintf (void)fprintf.


More problems
-------------
There are probably more bugs in TrACESroute. I saw lot's of strcpy, 
sprintf etc.,
but i don't have time to check it.


Exploit
-------
Exploit will be released soon (i hope so :).


Greetz 
------
Greetz goes to #hr.hackers, and to all my real and virtual friends.     
Special greetz goes to BoyScout, h4z4rd, fi and Fr1c.


PS. Sorry on bad (broken) english.