[16964] in bugtraq
Re: Very interesting traceroute flaw
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Sep 29 13:07:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <200009291047.MAA21466@romulus.Holland.Sun.COM>
Date: Fri, 29 Sep 2000 12:47:43 +0200
Reply-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 28 Sep 2000 23:33:28 BST."
<Pine.LNX.4.21.0009282201460.28324-100000@ferret.lmh.ox.ac.uk>
>I'm starting with a credit section because I did not discover this
>flaw. The flaw was discovered by Pekka Savola <pekkas@netcore.fi>, who
>noted that traceroute could be caused to crash, which is pretty suboptimal
>behaviour for a suid-root program :-) I took this forward and speculate
>that in fact this very minor code flaw may well be exploitable.
Even though Solaris 7 and later include LBNL traceroute, the first
version of the source checked into SCCS has the following interesting
comment (this branch dates from 98/01/12):
/*
* LBNL bug fixed: used to call savestr(), which was buggy
* it gives bus error when more than one -g used
* savestr.h removed
*/
The code was completely removed when IPv6 support was integrated much
later.
Casper
