Well I have compiled my onw ping/traceroute/rsh from the SRPMS and the sources of the things don't seem to be the problem, well not that I can see anyways.. (looked thru briefly and didn't see any obvious holes) I am running the same traceroute on a RH4.8 box and it looks like that one isn't vulnerable.. I think the only diff between the programs is one is compiled for libc5 and the other glibc2.. I am starting to suspect that this could be a library problem and not a problem with the programs.. An strace shows traceroute gets to opening the resolv lib and then dies. Alot of my apps in RH5.0 I can segfault with a long parameter for example telnet, but the same app in RH4.8 won't.. plus I'd like to belive that people that write setuid programs as simple as ping would see something as blatenly obvious as this.. Oh well another glibc "feature" I guess.. btw: has anyone gotten the non-stack exec + symlink security fixes incorporated in their RH5.0 box ? I tried it once without trampoines and init wouldn't even run, I tried again this time allowing trampolines and most programs ran with the exception of some X things like xv.. looks like trampolines exist in the glibc2 =( ------------------------------------------------------------------------- Wilton Wong BlackStar Communications URL: http://www.blackstar.net 16121 - 57 Street Email: wwongat_private Edmonton AB T5Y 2T1 Tel: (403) 486-7783 Fax: (403) 484-6004 ------------------------------------------------------------------------- On Sun, 14 Dec 1997, Phillip R. Jaenke wrote: > >Just going though some setuid things and noticed that in RedHat 5.0 you > >can overrun the buffers in /bin/ping and /usr/sbin/traceroute, I attached > >an exploit for traceroute nothing fancy just what I had to test it with > >simple eggshell. > > looks like these are also vunerable to buffer overruns, /usr/bin/rlogin > > /usr/bin/rsh > > Sorry if this has been mentioned before.. > > Wilton; > > It hasn't. And I can already think of several workarounds. > > One is to compile your own ping, traceroute, rlogin, and rsh. > The other is to drop back to ping/traceroute/rlogin/rsh from RH4.2, or > 4.9.1, which is not vulnerable, AFAIK. > > I'm going to pass this email on to RedHat so we can get a 'real' fix soon. > > -prj > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:36:01 PDT