Re: Local root through vulnerability in ping on linux.

[Vitaly McLain <twistah () DATASURGE NET>]

This looks to be distro-dependent, so far.

Check this out:

bizkit:~$ uname -a
Linux bizkit 2.2.13 #61 Wed Oct 20 19:40:54 CDT 1999 i586 unknown
bizkit:~$ ls -al `which ping`
-r-sr-xr-x   1 root     bin         14484 Oct 22  1999 /bin/ping*
bizkit:~$ id
uid=1000(vitaly) gid=100(users) groups=100(users)
bizkit:~$ cat /etc/slackware-version
7.0.0
bizkit:~$

So that's my operating environment. Now let's try to make it core...

bizkit:~$ ping -c 1 -s 100 localhost
PING localhost (127.0.0.1): 100 data bytes

--- localhost ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
bizkit:~$

[ I block all ICMP_ECHO ]

bizkit:~$ ping -c 1 -s 65689 localhost
ping: packet size too large.
bizkit:~$

bizkit:~$ ping -c 1 -s 65690 localhost
ping: packet size too large.
bizkit:~$

No results there, and so it doesn't look like a normal user could take
advantage of it.  What about root?

bizkit:~# id ; whoami
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
root
bizkit:~# ping -c 1 -s 65690 localhost
ping: packet size too large.
bizkit:~# ping -c 1 -s 65689 localhost
ping: packet size too large.
bizkit:~#

Nope. So unless this bug was introduced after kernel 2.2.13, I'll put my
money on "libc bug", but I could be wrong. Do different distros use
different versions of ping?

(Note: Tests as regular user on a Debian potato box also had no segfault,
etc)

Vitaly McLain
twistah () datasurge net