[5806] in bugtraq
Re: Buffer overrun in Redhat 5.0
daemon@ATHENA.MIT.EDU (Wilton Wong - ListMail)
Tue Dec 16 11:27:04 1997
Date: Mon, 15 Dec 1997 17:56:56 -0700
Reply-To: Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET>
From: Wilton Wong - ListMail <listmail@NOVA.BLACKSTAR.NET>
X-To: Ask =?iso-8859-1?Q?Bj=F8rn?= Hansen <ask@netcetera.dk>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <v03110704b0bb6d1d5afa@[194.192.207.10]>
The problem is that this only fixes traceroute rlogin, rsh, and ping ar=
e
most likely still vulnerable, they just put a check in to traceroute to
see if the hostname you gave it is too long..
This will still give you a segfault if say you did something like this:
traceroute somehost.com -g [lot's of XXX's]
which I'd expect would still be vulnerable.. and it is =3D/
wwong@nova:~/src/trace$ traceroute somehost.com -g $RET
bash# whoami
root
bash#
bash# rpm -qif /usr/sbin/traceroute
Name : traceroute Distribution: Hurricane
Version : 1.4a5 Vendor: Red Hat Softwar=
e
Release : 5 Build Date: Sun Dec 14
11:16:22 1997
Install date: Tue Dec 16 07:37:28 1997 Build Host: porky.redhat.com
Group : Networking/Utilities Source RPM:
traceroute-1.4a5-5.src.rpm
Size : 30603
Packager : Red Hat Software <bugs@redhat.com>
Summary : traces the route packets take over a TCP/IP network
Description :
Traceroute prints the route packets take across a TCP/IP. The names (or
IP numbers if names are not available) of the machines which are routin=
g
packets from the machine traceroute is running on to the destination
machine are printed, along with the time is took to receive a packet
acknowledgement from that machine. This tool can be very helpfull in
diagnosing networking problems.
-----------------------------------------------------------------------=
--
Wilton Wong BlackStar Communications
URL: http://www.blackstar.net 16121 - 57 Street
Email: wwong@blackstar.net Edmonton AB T5Y 2T1
Tel: (403) 486-7783 Fax: (403) 484-6004
-----------------------------------------------------------------------=
--
On Tue, 16 Dec 1997, Ask [iso-8859-1] Bj=F8rn Hansen wrote:
>
> >Okay I noticed that if I ran tracroute with a really long param it
> >segfaults and I wondered if I could exploit this, I could, I checked=
to
> >see that I didn't have a twisted version of traceroute, I didn't, so=
I
> >tried ping as well same result. That's when I posted.
>
> From the redhat website (errata page for redhat 5.0):
>
> Package: traceroute
>
> Updated: 15-Dec-1997
>
> Problem:
>
> (15-Dec-1997) Security Fix: Fixes buffer overruns in tracerout=
e.
>
> Solution:
>
> Intel: Upgrade to traceroute-1.4a5-5.i386.rpm
> Alpha: Upgrade to traceroute-1.4a5-5.alpha.rpm
>
>
> I would guess that it's this problems they have fixed. Better ask som=
eone
> at redhat...
>
>
> kind regards,
>
> ask
>
> ---------------------------------------------------------------------
> ask bjoern hansen - Netcetera - Finsensvej 80 - DK-2000 Frederiksberg
> tlf 38 88 32 22 / 40 44 58 66 / 38 88 20 38 ext 341 - Fax 38 88 30 38
> Webdesign, Webhotel, Mailhotel, UUCP & more! http://www.netcetera.dk/
>
>
>
