Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local root through vulnerability in ping on linux.

From: Daniel Jacobowitz <dmj+ () ANDREW CMU EDU>
Date: Mon, 21 Aug 2000 12:24:41 -0700
On Mon, Aug 21, 2000 at 10:26:34AM +0200, Michal Zalewski wrote:

On Sun, 20 Aug 2000, Goense, Jacob wrote:


[root@localhost /root]# ping -c 1 -s 65690 localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)


Oh yes, will work if you're trying to gain root having root privledges
already ;)

What about 'traceroute -g 127.0.0.1 127.0.0.1' and other combinations
(depending on DNS entry and IP number representation, you can cause many
interesting memory dumps or some SEGVs on RH 6.2 Linux box and many other
boxes as well)?


This came up on security-audit about a month ago.  It's a
multiple-free() issue.  To the best of my knowledge, and I spent about
a solid week trying, there's no way to exploit it, at least not on
Intel or PowerPC.  I can't get quite enough user data in there.

Check the security-audit archive (is there one, actually?) for more
about this.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/
Previous By Date Next
Previous By Thread Next

Current thread: