[2974] in bugtraq
ping
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Mon Jul 22 17:06:50 1996
Date: Sun, 21 Jul 1996 16:08:28 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Brian Mitchell <brian@saturn.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
There is a (somewhat difficult to exploit) security hole in the ping program
(NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based
unixes, but I have not checked.
pr_addr() has a buffer overflow which makes it possible to execute arbitrary
code. You do need a local account, unless you know someone on the system is
always doing a ping -v somehost, in which case it may be done remotely.
Here is the code in question:
/*
* pr_addr --
* Return an ascii host address as a dotted quad and optionally with
* a hostname.
*/
char *
pr_addr(l)
u_long l;
{
struct hostent *hp;
static char buf[80];
if ((options & F_NUMERIC) ||
!(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
(void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
else
(void)sprintf(buf, "%s (%s)", hp->h_name,
inet_ntoa(*(struct in_addr *)&l));
return(buf);
}
This function is called when ping is running in -v mode (verbose) and it
recieves a non-echo related icmp packet.
Something like this should take care of it, I would guess:
998c998
< (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
---
> (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr
*)&l));1000c1000
< (void)sprintf(buf, "%s (%s)", hp->h_name,
---
> (void)snprintf(buf, 75, "%s (%s)", hp->h_name,
Brian Mitchell brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman
