[16976] in bugtraq
Re: Very interesting traceroute flaw
daemon@ATHENA.MIT.EDU (Elias Levy)
Sat Sep 30 17:38:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000930141053.M12407@securityfocus.com>
Date: Sat, 30 Sep 2000 14:10:53 -0700
Reply-To: aleph1@SECURITYFOCUS.COM
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0009282201460.28324-100000@ferret.lmh.ox.ac.uk>
Batch of responses in this thread.
Felix Kronlage <fkr@grummel.net>:
OpenBSD 2.7-stable (patch_branch): safe
OpenBSD 2.8-beta: safe
jura <jura@technolust.cx>:
Redhat 6.0 is affected as well (using ver. traceroute-1.4a5-16
Carl Brock Sides <csides@autozone.com>:
For Debian users:
Affected: 1.4a5-2 (distributed with Potato)
Safe: 1.4a5-3 (distributed with Woody)
According to the Debian changelog:
traceroute (1.4a5-3) stable unstable; urgency=low
* Fixed a bug where free(3) was called on non-malloced memory.
"Venkat RK Reddy" <vpothams@cisco.com>:
It seems Caldera (atleast 2.4 e server) has the faulty version. It readily
produces seg fault.
Jerry Walsh <jerry@aardvark.ie>:
For the record, FreeBSD 3.5 isn't vunerable
[jw@llama] (~): traceroute -g 1 -g 1
Version 1.3.2
Usage: traceroute [-dnrv] [-w wait] [-m max_ttl] [-M min_ttl] [-P proto]
[-p port#] [-q nqueries] [-t tos] [-s src_addr] [-g gateway]
host [data_size]
[jw@llama] (~):
Specifying a hostname with these switches also works without a seg. fault.
Cooper <Cooper@Linuxfan.com>:
Slackware 4.0 and 7.0 both use a traceroute that I can't seem to get
version information out of via command line switches, but a quick
"strings `which traceroute` | more" revealed this little piece of info:
@(#) Copyright (c) 1990, 1993
The Regents of the University of California. All rights
reserved.
@(#)traceroute.c 8.1 (Berkeley) 6/6/93
It doesn't know the -g switch, but doesn't segfault when you supply
multiple instances of an existing switch.
At least for as far as this bug is concerned, Slack is safe.
A Guy Called Tyketto <tyketto@wizard.com>:
I can also confirm that Slackware 7.0 and 7.1 are not affected by
this, as they still do not have a -g option.
The following machines, I have also tested this on, and receive no
error:
AIX 4.0: traceroute -g 1 -g 1 returns unknown host 1.
FreeBSD 3.3: traceoute -g 1 -g 1 returns the usage and command line
flags.
Digital Unix 3.2: as above, tries to traceroute to 0.0.0.1.
The only machine I have access to that IS vulnerable to this, is
Solaris 2.5.1. traceroute -g 1 -g 1 returns 'Bus error'. There may be others,
but These I have tried so far. YMMV.
Tony_Jeffries@Consultec-inc.com:
I tested this on a Mandrake 7.0 machine, and it segfaults there, too. Not a
surprise, since Mandrake is based on Red Hat.
"Dehner, Ben" <Btd@valmont.com>;
For HP-UX 10.20 and 11.00:
Traceroute -g 1 -g 1 attempts to traceroute to 0.0.0.1; not apparently
vulnerable.
Joey Maier <maierj@home.com>:
Perhaps the slackware version is different than the redhat version.
========================================================
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20 on an i686
login: jmaier
Password:
Last login: Fri Sep 29 10:47:46 from cypress
[jmaier@tick jmaier]$ /usr/sbin/traceroute -g 1 -g 1
Segmentation fault
[jmaier@tick jmaier]$
Kris Kennaway <kris@FreeBSD.org>:
Safe: All versions of FreeBSD
Martin Ferrari <mferrari@decidir.net>:
I've executed /usr/sbin/traceroute -g 1 -g 1 on Mandrake 7.1, and it
crashes.
Gossi The Dog <gossi@owned.lab6.com>:
Cobalt Linux 5.0, with all security patches released on ftp.cobalt.com:
[gossi@owned gossi]$ /usr/sbin/traceroute -g 1 -g 1
Segmentation fault
