Re: Local root through vulnerability in ping on linux.

[Martin MaD Douda <martin () DOUDA NET>]

I've looked at RedHat 6.2 ping's behavior:

$ ping -c 1 -s 65690 localhost
Error: packet size 65690 is too large. Maximum is 65507
/* so no security issue here - does not segfault as regular user - it
was reported */

# ping -c 1 -s 65690 localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
/* There is some error somewhere - it was reported */

# strace ping -c 1 -s 65690 localhost

execve("/bin/ping", ["ping", "-c", "1", "-s", "65690", "localhost"], [/* 22 vars */]) = 0

[snip]

write(2, "WARNING: packet size 65690 is to"..., 58WARNING: packet size 65690 is too large. Maximum is 65507
) = 58
brk(0x8070000)                          = 0x8070000
getpid()                                = 19319
fstat64(0x1, 0xbffff1d4)                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

/* Nothing really interesting & surprising from strace, let's go on... */

# ltrace ping -c 1 -s 65690 localhost

__libc_start_main(0x08048e34, 6, 0xbffffaf4, 0x08048a1c, 0x0804b0bc <unfinished ...>

[snip]

perror("ping: sendto")                            = <void>
ping: sendto: No buffer space available
printf("ping: wrote %s %d chars, ret=%d\n", 
"EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 65698, -1) = 33


recvfrom(3, 0x0805e1a8, 65826, 0, 0xbffffa24 <unfinished ...>
--- SIGINT (Interrupt) ---
/* here it was waiting for Ctrl-C or timeout */


sigaction(14, 0xbffff5e4, 0, 12, 65826)           = 0
_IO_putc('\n', 0x4011f980)                        = 10
fflush(0x4011f980PING  (127.0.0.1) from 127.0.0.1 : 65690(65718) bytes of data.
ping: wrote  65698 chars, ret=-1

)                                = 0
printf("--- %s ping statistics ---\n", 
"EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"...) = 25
printf("%ld packets transmitted, ", 1)            = 23
printf("%ld packets received, ", 0)               = 20
printf("%d%% packet loss", 100)                   = 16
_IO_putc('\n', 0x4011f980)                        = 10
exit(1)                                           = <void>
__deregister_frame_info(0x0804d00c, 0xbffff660, 0x0804b0d1, 0x401211ec, 0xbffff674) = 0x0804d1b4
---  ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
+++ exited (status 1) +++

Ping does not fail when ltraced. It correctly sends packet (and this
packet does not return, IMHO due to ICMP packet size limits).
I think kernel is not suspicios anymore.
And it is either ping or libc bug, not security issue.


My system is RedHat 6.2 with 2.4.0-test7-pre3+reiserfs. The kernel is only
(relevant) thing modified from original RH6.2.

glibc is 2.1.3-15
iputils (where ping lives) is 20000121-2 - looks like some development
version? sounds like suspicios development version?


                                        Martin


--------------------------------------------------------------------------------
                        Martin "MaD" Douda
WEB:http://martin.douda.net/                 EMAIL:martin () douda net
SMS:mad () gate mobil cz (up to 160 characters) PHONE:+420603752779
PGP:ID=0x6FE43023 Fingerprint:E495 11DA EF6E 0DD6 965A 54F3 888E CC9E 6FE4 3023
--------------------------------------------------------------------------------
If the automobile had followed the same development cycle as the computer, a
Rolls-Royce today would cost $100, get a million miles to the gallon, and
explode once a year, killing everyone inside.