[28078] in bugtraq
RE: Exploit for traceroute-nanog overflow
daemon@ATHENA.MIT.EDU (Carl Livitt)
Mon Dec 2 16:43:23 2002
Content-Type: text/plain;
charset="us-ascii"
From: Carl Livitt <carl@learningshophull.co.uk>
To: bugtraq@securityfocus.com
Date: Mon, 2 Dec 2002 18:36:26 +0000
MIME-Version: 1.0
Message-Id: <200212021836.27098.carl@learningshophull.co.uk>
Content-Transfer-Encoding: 8bit
Hi all,
Further to my email posting a working exploit for traceroute-nanog on SuSE
boxes, it would appear the the patch provided by SuSE does not address the
overflow my exploit... um... exploits.
On a patched SuSE 7.2 box:
carl@titan:~/exploits/traceroute-nanog > rpm -qa | grep traceroute
traceroute-6.1.1-0
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -d
Now run this exploit with the '-e' flag.
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -e
traceroute to www.yahoo.akadns.net (64.58.76.230), 30 hops max, 40 byte
packets
1 sh-2.05$ id
uid=500(carl) gid=100(users) groups=100(users)
sh-2.05$
Note that traceroute now drops root privileges (properly; there is no way to
get them back), so even though it is still possible to execute arbitrary code
via a stack overflow, it cannot be done as root.
Of course, if an attacker could control the server that traceroute uses to
lookup DNS admin contact names, then it would be possible to exploit this
flaw remotely. However, the default server used by traceroute is 'localhost'
which makes this almost impossible to exploit in any other way except locally
on an unpatched system.
Cheers,
Carl.
