Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: traceroute-4.4BSD (slack) heap overflow

From: El Nahual <nahual () S0D SAL ITESM MX>
Date: Sat, 6 Jan 2001 05:44:10 -0900
Well bro there is an easy way to do that ... =) ... reverse dns maybe? I
remember seeing from another pen-tester (bows to him) a remote openBSD
exploit with thew format one that yielded root, saw it with my own 2
little eyes. he modified the hosts file.

We played a little with it and realized that in that case since the
ofending code was in setproctitle() we could put the shell code in the DNS
to point into our name. Maybe something like that can be done to exploit
this ... I'll play with it a little bit.

El Nahual

On Thu, 4 Jan 2001, Cristi Dumitrescu wrote:


Hi,

A while ago I was studying the source code for this traceroute... I found
this in the inetname function:

...
        static char line[50];
...
        if (cp)
                (void) strcpy(line, cp);
        else {
...

The cp variable holds at that point the hostname for the current host it's
tracing. If the hostname is something like a little bit bigger than 4096+50
chars it will overflow some other variables from the heap. You can easily
check this out by modifying your /etc/hosts, I remember I made it segfault,
tho I don't remember exactly how. Anyway, I debugged it and ltraced for a
couple of hours and I doubt an exploit could be done, especially given the
fact that it's a hostname we're overflowing. So, I thought I'd post it here,
maybe someone thinks of a way to actually do something with this.
Previous By Date Next
Previous By Thread Next

Current thread: