OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [suse-security] SuSE: traceroute
From: bololupa.de
Date: Mon Oct 02 2000 - 05:52:59 CDT

Hi,

according to bugtraq post from Chris Evans (chrisferret.lmh.ox.ac.uk) from
Sep. 29th traceroute version 1.4a5 seems to be vulnerable; Chris Evans wrote:

"VERSIONS AFFECTED
 =================

 (Where LBNL = Lawrence Berkeley National Laboratory)

 Affected: LBNL 1.4a5
 Safe: LBNL 1.4a7
 Safe: RedHat7.0 traceroute (1.4a5 + a patch)
 [...]
 First, some background reading, namely Solar Designer's excellent
 discussion on the generic exploitation of heap overflows;

 http://www.securityfocus.com/archive/1/71598

 The discussion shows nicely how heap mismanagement is fatal. However,
 overflowing a malloc()'ed buffer is not the only bad thing you can do to
 the heap. In the case of traceroute, there was a reliable way of making
 traceroute call free() on a pointer that was not obtained with malloc().

 This flaw in traceroute (if your version is vulnerable) is tickled like
 this:

 traceroute -g 1 -g 1 (I think it didn't need a hostname)
 Segmentation fault

 Looking at the code, there is a file "savestr.c", which contains a
 function savestr(). This savestr() function is essentially a
 strdup() function, but with the difference that an attempt is made to cut
 down on the number of malloc() calls. This is accomplished by malloc()'ing
 a large block and handing out pointers _inside_ this block as savestr() is
 repeatedly called."

The traceroute version we use on several of our boxes running SuSE 6.0 -> 6.2
(1.4a5) segfaults by issuing the traceroute command line mentioned above. Is
this (SuSE-)traceroute version really unsusceptible of being exploited with
some piece of evil code? Why?

Boris 

---

On 01-Oct-00 Roman Drahtmueller wrote:
> Hi,
> 
> SuSE ships a different implementation of traceroute in the distributions. 
> It is not susceptible to the attacks as mentioned by other Linux vendors.
> 
> Regards,
> Roman Drahtmüller.
> -- 
>  -                                                                    -
>| Roman Drahtmüller <drahtsuse.de>     "Caution: Cape does not        |
>   SuSE GmbH - Security                  enable user to fly."
>| Nürnberg, Germany                     (Batman Costume warning label) |
[...]

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com