OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: DownBload (downbloadhotmail.com)
Date: Thu Jun 06 2002 - 15:13:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is)            DownBload Security Research Lab Advisory
    --------------------------------------------------------------------
    Advisory name: format string bug in TrACESroute
    Advisory number: 4
    Application: TrACESroute (traceroute program)
    Version affected: 6.0 GOLD, and probably previous versions
    Date: 04.6.2002
    Impact: local user can gain root access
    Tested on: Debian 2.1 (2.0.36 kernel)
    Discovered by: DownBload
    Mail me : downbloadhotmail.com


    Overview
    --------
    TrACESroute is just another traceroute program. TrACESroute use RAW SOCKET,
    so it must be run under root account, and because of that, traceroute
    usually
    has attached suid bit.


    Problem
    -------
    TrACESroute is vulnerable to format string bug. This piece of code cause
    bug:
    ...
    Fprintf(stdout,terminator);
    ...


    Example
    -------
    Test this format string bug with:
    ./traceroute -T %s%s%s localhost


    Solution
    --------
    If your users doesn't need traceroute, remove suid bit from it, or:
    Replace this:
    ...
    Fprintf(stdout,terminator);
    ...
    With this:
    ...
    Fprintf(stdout,"%s",terminator);
    ...
    Terminator is variable which can contain line-terminator chars. It can be
    changed with
    -T option. Fprintf is just -> #define Fprintf (void)fprintf.


    More problems
    -------------
    There are probably more bugs in TrACESroute. I saw lot's of strcpy,
    sprintf etc.,
    but i don't have time to check it.


    Exploit
    -------
    Exploit will be released soon (i hope so :).


    Greetz
    ------
    Greetz goes to #hr.hackers, and to all my real and virtual friends.
    Special greetz goes to BoyScout, h4z4rd, fi and Fr1c.


    PS. Sorry on bad (broken) english.