Re: Local root through vulnerability in ping on linux.

[Jackson Bloomston <jbloomston () news-press com>]

I only get this error as root on a Redhat 6.2 box... see below:


Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: jaxn
Password:
Last login: Mon Aug 21 08:56:53 on tty1
[jaxn@development jaxn]$ ping -c 1 -s 65690 localhost
Error: packer size 65690 is too large. Maximum is 65507
[jaxn@development jaxn]$ su -
Password:
[root@development /root]# ping -c 1 -s 65690 localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
[root@development /root]#


Thanks,

Jackson Bloomston
Information Systems
The News-Press
941.335.0502   voice
        941.335.0588   fax

-----Original Message-----
From:   Peter Batenburg [SMTP:petertje () DEEJAYS NL]
Sent:   Monday, August 21, 2000 5:58 AM
To:     VULN-DEV () SECURITYFOCUS COM
Subject:        Re: Local root through vulnerability in ping  on linux.

bash# ping -c 1 -s 65690  localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault
bash# uname -a
Linux pc1 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 2000 i586 unknown
bash# cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
bash#

[root@s2 /root]# ping -c 1 -s 65690  localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault
[root@s2 /root]# uname -a
Linux s2 2.2.14 #3 Thu Jan 27 16:06:53 MET 2000 i686 unknown
[root@s2 /root]# cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
[root@s2 /root]#


At 21:45 20-8-00 +0200, you wrote:
> Hello,
> The original post author just sent me the command line he says to get the seg
> fault:
> ping -c 1 -s 65690  localhost
> I have tested on slackware 7 both with root and non root and none get seg
> fault.
>
> On RedHat 6.1 as normal user no seg fault occurs... With root you get seg
> fault
> after warning about packet size too big.
> Looks like his ping command was trojaned or something ;)
> Best Regards,
> Pedro Hugo
>
> Samu wrote:
>
> > On Sat, Aug 19, 2000 at 08:39:35PM +0200, Ralf-Philipp Weinmann wrote:
> > > On Sat, 19 Aug 2000, Gerrie wrote:
> > >
> > > > Again some blackhats have a zeroday exploits in their hands.
> > > >
> > > > It's exploits a bug in the linux kernel by using ping, does someone
> have
> > > > more info?
> > i tried your ping on a debian woody i386 and it doesn't work
> > again: there are two packages with ping for debian
> > one in iputils-ping ( which has ping for ipv6 )
> > one in netkit-ping
> >
> > the ping in iputils-ping packages is more like "redhattish" ( broadcast ?
> > then ping -b .... ARGHHH )  and it gives to user the capability to set ICMP
> > packet size with -s .
> > with the other packages ( a normal ping ) you can't if you aren't root
> > to set your icmp packet size even it's suid root .
> >
> > ( and that to answer to ping flooding as user thread ) .
> >
> > none of the two "ping " give me DOS or kernel bug ( i tried on 2.2.16 and
> > 2.4.0-test4 ) .
> >
> > i can suggest you to rm you old ping and use this one from debian
> >
> > cee ya
> >
> > samuele
> >
> > --
> > Samuele Tonon  <samu () mclink it>
> > Undergraduate Student  of  Computer Science at  University of Bologna,
> Italy
> > System administrator at Computer Science Lab's, University of Bologna,
> Italy
> > Founder & Member of A.A.H.T.
> > UIN 3155609
> >                 Acid -- better living through chemistry.
> >                                Timothy Leary
>
> --
> --------------------------------------------
> Pedro Hugo
> Director of Unix Server Administration
> HighSpeedWeb Support Team
> fractalg () highspeedweb net
> ICQ # 38178251
> http://www.highspeedweb.net
> Genesis II Networks LLC
> --------------------------------------------

Groetjes
Petertje