Vulnerability Development mailing list archives
Re: Local root through vulnerability in ping on linux.
From: Vitaly McLain <twistah () DATASURGE NET>
Date: Sun, 20 Aug 2000 22:17:27 -0500
This looks to be distro-dependent, so far. Check this out: bizkit:~$ uname -a Linux bizkit 2.2.13 #61 Wed Oct 20 19:40:54 CDT 1999 i586 unknown bizkit:~$ ls -al `which ping` -r-sr-xr-x 1 root bin 14484 Oct 22 1999 /bin/ping* bizkit:~$ id uid=1000(vitaly) gid=100(users) groups=100(users) bizkit:~$ cat /etc/slackware-version 7.0.0 bizkit:~$ So that's my operating environment. Now let's try to make it core... bizkit:~$ ping -c 1 -s 100 localhost PING localhost (127.0.0.1): 100 data bytes --- localhost ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss bizkit:~$ [ I block all ICMP_ECHO ] bizkit:~$ ping -c 1 -s 65689 localhost ping: packet size too large. bizkit:~$ bizkit:~$ ping -c 1 -s 65690 localhost ping: packet size too large. bizkit:~$ No results there, and so it doesn't look like a normal user could take advantage of it. What about root? bizkit:~# id ; whoami uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) root bizkit:~# ping -c 1 -s 65690 localhost ping: packet size too large. bizkit:~# ping -c 1 -s 65689 localhost ping: packet size too large. bizkit:~# Nope. So unless this bug was introduced after kernel 2.2.13, I'll put my money on "libc bug", but I could be wrong. Do different distros use different versions of ping? (Note: Tests as regular user on a Debian potato box also had no segfault, etc) Vitaly McLain twistah () datasurge net
Current thread:
- Re: Local root through vulnerability in ping on linux., (continued)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 21)
- Re: Local root through vulnerability in ping on linux. Daniel Jacobowitz (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Hue-Bond (Aug 21)
- Re: Local root through vulnerability in ping on linux. Ronald Huizer (Aug 22)
- Re: Local root through vulnerability in ping on linux. geoff (Aug 22)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 22)
- Re: Local root through vulnerability in ping on linux. Matt Wilson (Aug 23)
- Re: Local root through vulnerability in ping on linux. mmurray (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Daniel Roesen (Aug 22)