Re: Buffer Overruns in RedHat 5.0

Wilton Wong - ListMail (listmail@NOVA.BLACKSTAR.NET)
Sun, 14 Dec 1997 18:54:53 -0700

Well I have compiled my onw ping/traceroute/rsh from the SRPMS and the
sources of the things don't seem to be the problem, well not that I can
see anyways.. (looked thru briefly and didn't see any obvious holes)

I am running the same traceroute on a RH4.8 box and it looks like that one
isn't vulnerable.. I think the only diff between the programs is one is
compiled for libc5 and the other glibc2.. I am starting to suspect that
this could be a library problem and not a problem with the programs..

An strace shows traceroute gets to opening the resolv lib and then dies.

Alot of my apps in RH5.0 I can segfault with a long parameter for example
telnet, but the same app in RH4.8 won't.. plus I'd like to belive that
people that write setuid programs as simple as ping would see something as
blatenly obvious as this..

Oh well another glibc "feature" I guess..

btw: has anyone gotten the non-stack exec + symlink security fixes
incorporated in their RH5.0 box ? I tried it once without trampoines and
init wouldn't even run, I tried again this time allowing trampolines and
most programs ran with the exception of some X things like xv.. looks like
trampolines exist in the glibc2 =(

Wilton Wong BlackStar Communications
URL: 16121 - 57 Street
Email: Edmonton AB T5Y 2T1
Tel: (403) 486-7783 Fax: (403) 484-6004

On Sun, 14 Dec 1997, Phillip R. Jaenke wrote:

> >Just going though some setuid things and noticed that in RedHat 5.0 you
> >can overrun the buffers in /bin/ping and /usr/sbin/traceroute, I attached
> >an exploit for traceroute nothing fancy just what I had to test it with
> >simple eggshell.
> > looks like these are also vunerable to buffer overruns, /usr/bin/rlogin
> > /usr/bin/rsh
> > Sorry if this has been mentioned before..
> Wilton;
> It hasn't. And I can already think of several workarounds.
> One is to compile your own ping, traceroute, rlogin, and rsh.
> The other is to drop back to ping/traceroute/rlogin/rsh from RH4.2, or
> 4.9.1, which is not vulnerable, AFAIK.
> I'm going to pass this email on to RedHat so we can get a 'real' fix soon.
> -prj