|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Carl Livitt (carl_at_learningshophull.co.uk)
Date: Mon Dec 02 2002 - 12:36:26 CST
Hi all,
Further to my email posting a working exploit for traceroute-nanog on SuSE
boxes, it would appear the the patch provided by SuSE does not address the
overflow my exploit... um... exploits.
On a patched SuSE 7.2 box:
carl
titan:~/exploits/traceroute-nanog > rpm -qa | grep traceroute
traceroute-6.1.1-0
carltitan:~/exploits/traceroute-nanog > ./traceroute-exploit -d
Now run this exploit with the '-e' flag.
carltitan:~/exploits/traceroute-nanog > ./traceroute-exploit -e
traceroute to www.yahoo.akadns.net (64.58.76.230), 30 hops max, 40 byte
packets
1 sh-2.05$ id
uid=500(carl) gid=100(users) groups=100(users)
sh-2.05$
Note that traceroute now drops root privileges (properly; there is no way to
get them back), so even though it is still possible to execute arbitrary code
via a stack overflow, it cannot be done as root.
Of course, if an attacker could control the server that traceroute uses to
lookup DNS admin contact names, then it would be possible to exploit this
flaw remotely. However, the default server used by traceroute is 'localhost'
which makes this almost impossible to exploit in any other way except locally
on an unpatched system.
Cheers,
Carl.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]