[26283] in bugtraq
Re: Nanog traceroute format string exploit.
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Jul 24 14:33:07 2002
Date: Wed, 24 Jul 2002 14:43:11 +0200
From: Olaf Kirch <okir@suse.de>
To: SpaceWalker <spacewalker@minithins.net>
Cc: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
Message-ID: <20020724144310.F7080@suse.de>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="tsOsTdHNUZQcU9Ye"
Content-Disposition: inline
In-Reply-To: <20020721140924.2584c3cf.spacewalker@minithins.net>
--tsOsTdHNUZQcU9Ye
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
On Sun, Jul 21, 2002 at 02:09:24PM +0200, SpaceWalker wrote:
> -This exploit will never be used to haxor something because I never
> saw this traceroute used by default
Well, SuSE has been using Nanog traceroute for ages; at least
since 7.0 but probably longer.
OTOH, the bug isn't very new either. The nktib package in SuSE Linux
7.0 has a patch for this vulnerability dated 2000/10/03 14:12:43.
Finally, let me remark that your exploit has a minor bug in detecting
vulnerable versions. Using the attached patch it will properly
recognize patched versions of traceroute :)
Cheers
Olaf
--
Olaf Kirch | Anyone who has had to work with X.509 has probably
okir@suse.de | experienced what can best be described as
---------------+ ISO water torture. -- Peter Gutmann
--tsOsTdHNUZQcU9Ye
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: attachment; filename="exp.fix"
--- main.c Wed Jul 24 14:41:38 2002
+++ tracerouteexp/main.c Sun Jul 21 14:04:48 2002
@@ -266,7 +266,7 @@
readbuf[lus]=0;
if(insaneverbose)
printf("*** result of first try : %s\n",readbuf);
- if(strstr(readbuf,"%x%x%x%x")){
+ if(strstr(readbuf,"%x%x%x%x%x")){
printf("*** fatal : This version is patched\n");
exit(-1);
}
--tsOsTdHNUZQcU9Ye--
