[25682] in bugtraq
Format String bug in TrACESroute 6.0 GOLD
daemon@ATHENA.MIT.EDU (DownBload)
Thu Jun 6 17:03:24 2002
Date: 6 Jun 2002 20:13:39 -0000
Message-ID: <20020606201339.24484.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: DownBload <downbload@hotmail.com>
To: bugtraq@securityfocus.com
DownBload Security Research Lab Advisory
--------------------------------------------------------------------
Advisory name: format string bug in TrACESroute
Advisory number: 4
Application: TrACESroute (traceroute program)
Version affected: 6.0 GOLD, and probably previous versions
Date: 04.6.2002
Impact: local user can gain root access
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: downbload@hotmail.com
Overview
--------
TrACESroute is just another traceroute program. TrACESroute use RAW SOCKET,
so it must be run under root account, and because of that, traceroute
usually
has attached suid bit.
Problem
-------
TrACESroute is vulnerable to format string bug. This piece of code cause
bug:
...
Fprintf(stdout,terminator);
...
Example
-------
Test this format string bug with:
./traceroute -T %s%s%s localhost
Solution
--------
If your users doesn't need traceroute, remove suid bit from it, or:
Replace this:
...
Fprintf(stdout,terminator);
...
With this:
...
Fprintf(stdout,"%s",terminator);
...
Terminator is variable which can contain line-terminator chars. It can be
changed with
-T option. Fprintf is just -> #define Fprintf (void)fprintf.
More problems
-------------
There are probably more bugs in TrACESroute. I saw lot's of strcpy,
sprintf etc.,
but i don't have time to check it.
Exploit
-------
Exploit will be released soon (i hope so :).
Greetz
------
Greetz goes to #hr.hackers, and to all my real and virtual friends.
Special greetz goes to BoyScout, h4z4rd, fi and Fr1c.
PS. Sorry on bad (broken) english.
