('binary' encoding is not supported, stored as-is) DownBload Security Research Lab Advisory -------------------------------------------------------------------- Advisory name: format string bug in TrACESroute Advisory number: 4 Application: TrACESroute (traceroute program) Version affected: 6.0 GOLD, and probably previous versions Date: 04.6.2002 Impact: local user can gain root access Tested on: Debian 2.1 (2.0.36 kernel) Discovered by: DownBload Mail me @: downbloadat_private Overview -------- TrACESroute is just another traceroute program. TrACESroute use RAW SOCKET, so it must be run under root account, and because of that, traceroute usually has attached suid bit. Problem ------- TrACESroute is vulnerable to format string bug. This piece of code cause bug: ... Fprintf(stdout,terminator); ... Example ------- Test this format string bug with: ./traceroute -T %s%s%s localhost Solution -------- If your users doesn't need traceroute, remove suid bit from it, or: Replace this: ... Fprintf(stdout,terminator); ... With this: ... Fprintf(stdout,"%s",terminator); ... Terminator is variable which can contain line-terminator chars. It can be changed with -T option. Fprintf is just -> #define Fprintf (void)fprintf. More problems ------------- There are probably more bugs in TrACESroute. I saw lot's of strcpy, sprintf etc., but i don't have time to check it. Exploit ------- Exploit will be released soon (i hope so :). Greetz ------ Greetz goes to #hr.hackers, and to all my real and virtual friends. Special greetz goes to BoyScout, h4z4rd, fi and Fr1c. PS. Sorry on bad (broken) english.
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:02:55 PDT