Re: Buffer Overruns in RedHat 5.0

From: Wilton Wong - ListMail (listmailat_private)
Date: Sun Dec 14 1997 - 17:54:53 PST

Next message: Seth McGann: "Re: Vulnerabilities in ICQ"

Previous message: J. Sean Connell: "Re: visible passwd bug in kdm ?"
Maybe in reply to: Wilton Wong - ListMail: "Buffer Overruns in RedHat 5.0"
Next in thread: Andreas Jaeger: "Re: Buffer Overruns in RedHat 5.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well I have compiled my onw ping/traceroute/rsh from the SRPMS and the
sources of the things don't seem to be the problem, well not that I can
see anyways.. (looked thru briefly and didn't see any obvious holes)

I am running the same traceroute on a RH4.8 box and it looks like that one
isn't vulnerable.. I think the only diff between the programs is one is
compiled for libc5 and the other glibc2.. I am starting to suspect that
this could be a library problem and not a problem with the programs..

An strace shows traceroute gets to opening the resolv lib and then dies.

Alot of my apps in RH5.0 I can segfault with a long parameter for example
telnet, but the same app in RH4.8 won't.. plus I'd like to belive that
people that write setuid programs as simple as ping would see something as
blatenly obvious as this..

Oh well another glibc "feature" I guess..

btw: has anyone gotten the non-stack exec + symlink security fixes
incorporated in their RH5.0 box ? I tried it once without trampoines and
init wouldn't even run, I tried again this time allowing trampolines and
most programs ran with the exception of some X things like xv.. looks like
trampolines exist in the glibc2 =(

-------------------------------------------------------------------------
   Wilton Wong                                BlackStar Communications
   URL: http://www.blackstar.net                     16121 - 57 Street
   Email: wwongat_private                      Edmonton AB T5Y 2T1
   Tel: (403) 486-7783                             Fax: (403) 484-6004
-------------------------------------------------------------------------

On Sun, 14 Dec 1997, Phillip R. Jaenke wrote:

> >Just going though some setuid things and noticed that in RedHat 5.0 you
> >can overrun the buffers in /bin/ping and /usr/sbin/traceroute, I attached
> >an exploit for traceroute nothing fancy just what I had to test it with
> >simple eggshell.
> > looks like these are also vunerable to buffer overruns, /usr/bin/rlogin
> > /usr/bin/rsh
> > Sorry if this has been mentioned before..
>
> Wilton;
>
> It hasn't. And I can already think of several workarounds.
>
> One is to compile your own ping, traceroute, rlogin, and rsh.
> The other is to drop back to ping/traceroute/rlogin/rsh from RH4.2, or
> 4.9.1, which is not vulnerable, AFAIK.
>
> I'm going to pass this email on to RedHat so we can get a 'real' fix soon.
>
> -prj
>
>

Next message: Seth McGann: "Re: Vulnerabilities in ICQ"
Previous message: J. Sean Connell: "Re: visible passwd bug in kdm ?"
Maybe in reply to: Wilton Wong - ListMail: "Buffer Overruns in RedHat 5.0"
Next in thread: Andreas Jaeger: "Re: Buffer Overruns in RedHat 5.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:36:01 PDT