Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
TrACESroute Utility Format String Hole May Let Local Users Gain Root Access
|
|
SecurityTracker Alert ID: 1004481 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 6 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Description: A format string vulnerability was reported in the 'trACESroute' version of traceroute. A local user can execute arbitrary shell commands, possibly with root level privileges.
It is reported that trACESroute makes an unsafe fprintf() call without supplying the appropriate formatting specification and without
filtering the user-supplied input. As a result, a local user can supply certain command line arguments to cause the utility to
execute arbitrary code.
Because trACESroute uses RAW SOCKET, it can only be executed by root level users. According to the report,
it is often configured with set user id (suid) root privileges so that unprivileged local users can execute it.
A demonstration
exploit command is provided:
./traceroute -T %s%s%s localhost
The author of the report warns that there may be other similar
flaws in the program.
|
Impact: A remote user may be able to execute arbitrary shell code on the system with root level privileges.
|
Solution: No solution was available at the time of this entry.
The author of the report recommends that if traceroute functionality is not
needed, you can remove suid bit from it. Alternately, you can make the following code change:
From:
...
Fprintf(stdout,terminator);
...
To:
...
Fprintf(stdou
t,"%s",terminator);
...
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: DownBload <downbload@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 6 Jun 2002 20:13:39 -0000
From: DownBload <downbload@hotmail.com>
Subject: Format String bug in TrACESroute 6.0 GOLD
|
DownBload Security Research Lab Advisory
--------------------------------------------------------------------
Advisory name: format string bug in TrACESroute
Advisory number: 4
Application: TrACESroute (traceroute program)
Version affected: 6.0 GOLD, and probably previous versions
Date: 04.6.2002
Impact: local user can gain root access
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: downbload@hotmail.com
Overview
--------
TrACESroute is just another traceroute program. TrACESroute use RAW SOCKET,
so it must be run under root account, and because of that, traceroute
usually
has attached suid bit.
Problem
-------
TrACESroute is vulnerable to format string bug. This piece of code cause
bug:
...
Fprintf(stdout,terminator);
...
Example
-------
Test this format string bug with:
./traceroute -T %s%s%s localhost
Solution
--------
If your users doesn't need traceroute, remove suid bit from it, or:
Replace this:
...
Fprintf(stdout,terminator);
...
With this:
...
Fprintf(stdout,"%s",terminator);
...
Terminator is variable which can contain line-terminator chars. It can be
changed with
-T option. Fprintf is just -> #define Fprintf (void)fprintf.
More problems
-------------
There are probably more bugs in TrACESroute. I saw lot's of strcpy,
sprintf etc.,
but i don't have time to check it.
Exploit
-------
Exploit will be released soon (i hope so :).
Greetz
------
Greetz goes to #hr.hackers, and to all my real and virtual friends.
Special greetz goes to BoyScout, h4z4rd, fi and Fr1c.
PS. Sorry on bad (broken) english.
|
|
Go to the Top of This SecurityTracker Archive Page
|
