Re: Buffer overrun in Redhat 5.0

Wilton Wong - ListMail (listmail@NOVA.BLACKSTAR.NET)
Mon, 15 Dec 1997 17:56:56 -0700

The problem is that this only fixes traceroute rlogin, rsh, and ping are
most likely still vulnerable, they just put a check in to traceroute to
see if the hostname you gave it is too long..

This will still give you a segfault if say you did something like this:

traceroute somehost.com -g [lot's of XXX's]

which I'd expect would still be vulnerable.. and it is =/

wwong@nova:~/src/trace$ traceroute somehost.com -g $RET
bash# whoami
root
bash#

bash# rpm -qif /usr/sbin/traceroute
Name : traceroute Distribution: Hurricane
Version : 1.4a5 Vendor: Red Hat Software
Release : 5 Build Date: Sun Dec 14
11:16:22 1997
Install date: Tue Dec 16 07:37:28 1997 Build Host: porky.redhat.com
Group : Networking/Utilities Source RPM:
traceroute-1.4a5-5.src.rpm
Size : 30603
Packager : Red Hat Software <bugs@redhat.com>
Summary : traces the route packets take over a TCP/IP network
Description :
Traceroute prints the route packets take across a TCP/IP. The names (or
IP numbers if names are not available) of the machines which are routing
packets from the machine traceroute is running on to the destination
machine are printed, along with the time is took to receive a packet
acknowledgement from that machine. This tool can be very helpfull in
diagnosing networking problems.

-------------------------------------------------------------------------
Wilton Wong BlackStar Communications
URL: http://www.blackstar.net 16121 - 57 Street
Email: wwong@blackstar.net Edmonton AB T5Y 2T1
Tel: (403) 486-7783 Fax: (403) 484-6004
-------------------------------------------------------------------------

On Tue, 16 Dec 1997, Ask [iso-8859-1] Bjørn Hansen wrote:

>
> >Okay I noticed that if I ran tracroute with a really long param it
> >segfaults and I wondered if I could exploit this, I could, I checked to
> >see that I didn't have a twisted version of traceroute, I didn't, so I
> >tried ping as well same result. That's when I posted.
>
> From the redhat website (errata page for redhat 5.0):
>
> Package: traceroute
>
> Updated: 15-Dec-1997
>
> Problem:
>
> (15-Dec-1997) Security Fix: Fixes buffer overruns in traceroute.
>
> Solution:
>
> Intel: Upgrade to traceroute-1.4a5-5.i386.rpm
> Alpha: Upgrade to traceroute-1.4a5-5.alpha.rpm
>
>
> I would guess that it's this problems they have fixed. Better ask someone
> at redhat...
>
>
> kind regards,
>
> ask
>
> ---------------------------------------------------------------------
> ask bjoern hansen - Netcetera - Finsensvej 80 - DK-2000 Frederiksberg
> tlf 38 88 32 22 / 40 44 58 66 / 38 88 20 38 ext 341 - Fax 38 88 30 38
> Webdesign, Webhotel, Mailhotel, UUCP & more! http://www.netcetera.dk/
>
>
>