[16960] in bugtraq
Re: Very interesting traceroute flaw
daemon@ATHENA.MIT.EDU (Sylvain Robitaille)
Fri Sep 29 12:30:18 2000
Message-Id: <200009291550.LAA31872@alcor.concordia.ca>
Date: Fri, 29 Sep 2000 11:50:15 -0400
Reply-To: Sylvain Robitaille <syl@ALCOR.CONCORDIA.CA>
From: Sylvain Robitaille <syl@ALCOR.CONCORDIA.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0009282201460.28324-100000@ferret.lmh.ox.ac.uk>
Chris Evans wrote:
> This flaw in traceroute (if your version is vulnerable) is tickled
> like this:
>
> traceroute -g 1 -g 1 (I think it didn't need a hostname)
> Segmentation fault
For the record, I tested this on Slackware Linux (4.0, and 3.x), as well
as Digital (Compaq) Unix versions 4.0d, 4.0e, and 4.0g, and Solaris-2.7,
and found that none of those systems have a vulnerable version of
traceroute.
On the Linux systems, traceroute doesn't accept the '-g' option; Solaris
traceroute complains without a hostname, and runs with one, (no
segmentation fault, though the output appears unreliable); All tested
versions of Digital Unix dutifully try to traceroute to 0.0.0.1.
--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca
Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
