> I want to provide some additional information about the recently
> discovered traceroute-ng flaw. I decided to disclose to details right
> now because I do not believe that the flaw is easily exploitable.
>
>
> 1) The vulnerablilty.
>
> The patch provided by vendors like SuSE is not sufficient. It only
> closed one of at least 3 different holes.
Ok, let's see...
> Hole #1 : (closed in the recent patch)
> --------------------------------------
As you already said: It's fixed.
thomas@Wintermute:~> /usr/sbin/traceroute -P -q 1 -n $(perl -e 'print"0"x13000')127.0.0.1
traceroute to 000000000000000000000000000000000000000000000000000000000000000 (87.0.0.1), 30 hops max, 40 byte packets
1 172.16.0.1 1 ms
2 145.253.1.203 21 ms
3 145.253.16.65 29 ms
4 145.254.12.13 38 ms
5 145.254.12.53 46 ms
thomas@Wintermute:~>
> Hole #3:
> --------
>
> Just run with the following arguments:
>
> (gdb) r -P -q 999 -n localhost
Does not seem to work.
thomas@Wintermute:~> /usr/sbin/traceroute -P -q 999 -n localhost
nprobes must be >0 and <= 256
thomas@Wintermute:~>
> So one can overwrite consecutive memory blocks of type
>
> struct {
> u_long dport; /* check for matching dport */
> u_char ttl; /* ttl we sent it to */
> u_char type; /* icmp response type */
> struct timeval out; /* time packet left */
> struct timeval rtn; /* time packet arrived */
> struct sockaddr_in from; /* whom from */
> } spray
>
> starting at the address of 'spray' (which is again located in the heap)
> with the values stored in out, dport, ttl. So far I looked at this,
> nothing really sensefull can be overwritten this way. Two candidates are:
>
> [a] the socket descriptor s, which is later used by FD_SET (instant
> memory writer... :-)
The only FD_SET() I found:
FD_SET(sock, &fds);
Socket s occurs here:
s = socket(AF_INET, SOCK_RAW, pe->p_proto) // ICMP socket
and here:
s = socket(hp->h_addrtype, SOCK_STREAM, 0)
So, can you be more precise on this?
> - (un)fortunately the system time is stored in s by
> overflowing the spray array :-)
?
> Summary
> -------
>
> The are still vulnerabilities in the traceroute-ng package which may
> lead to a local root compromise, depending on the actual OS running on.
traceroute-nanog drops root privileges right after allocating the raw ip-
and the raw icmp-socket. So, the attacker does not get root privileges.
> Anyway, in my opinion the code of traceroute-ng breaks with many
> fundamental secure coding practices, it is hard to believe that such
> crap has been included on major distributions carrying the suid bit.
It uses setuid() and isn't shipped anymore since 8.1.
---
And now the things Carl Livitt <carl (at) learningshophull.co (dot) uk [email concealed]> founds.
This buffer overflow was already found by Sebastian Krahmer
<krahmer (at) suse (dot) de [email concealed]>. The fix is included in the upcoming traceroute-nanog
security update.
Bye,
Thomas
--
Thomas Biege <thomas (at) suse (dot) de [email concealed]>
SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg
Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83
--
Over thinking, Over analyzing, seperates the body from the mind.
- Maynard James Keenan
Hi.
> I want to provide some additional information about the recently
> discovered traceroute-ng flaw. I decided to disclose to details right
> now because I do not believe that the flaw is easily exploitable.
>
>
> 1) The vulnerablilty.
>
> The patch provided by vendors like SuSE is not sufficient. It only
> closed one of at least 3 different holes.
Ok, let's see...
> Hole #1 : (closed in the recent patch)
> --------------------------------------
As you already said: It's fixed.
thomas@Wintermute:~> /usr/sbin/traceroute -P -q 1 -n $(perl -e 'print"0"x13000')127.0.0.1
traceroute to 000000000000000000000000000000000000000000000000000000000000000 (87.0.0.1), 30 hops max, 40 byte packets
1 172.16.0.1 1 ms
2 145.253.1.203 21 ms
3 145.253.16.65 29 ms
4 145.254.12.13 38 ms
5 145.254.12.53 46 ms
thomas@Wintermute:~>
> Hole #2 :
> ---------
>
> (gdb) r -P -q 1 -n -S -999999 -m 0 localhost
It's fixed now.
> Hole #3:
> --------
>
> Just run with the following arguments:
>
> (gdb) r -P -q 999 -n localhost
Does not seem to work.
thomas@Wintermute:~> /usr/sbin/traceroute -P -q 999 -n localhost
nprobes must be >0 and <= 256
thomas@Wintermute:~>
> So one can overwrite consecutive memory blocks of type
>
> struct {
> u_long dport; /* check for matching dport */
> u_char ttl; /* ttl we sent it to */
> u_char type; /* icmp response type */
> struct timeval out; /* time packet left */
> struct timeval rtn; /* time packet arrived */
> struct sockaddr_in from; /* whom from */
> } spray
>
> starting at the address of 'spray' (which is again located in the heap)
> with the values stored in out, dport, ttl. So far I looked at this,
> nothing really sensefull can be overwritten this way. Two candidates are:
>
> [a] the socket descriptor s, which is later used by FD_SET (instant
> memory writer... :-)
The only FD_SET() I found:
FD_SET(sock, &fds);
Socket s occurs here:
s = socket(AF_INET, SOCK_RAW, pe->p_proto) // ICMP socket
and here:
s = socket(hp->h_addrtype, SOCK_STREAM, 0)
So, can you be more precise on this?
> - (un)fortunately the system time is stored in s by
> overflowing the spray array :-)
?
> Summary
> -------
>
> The are still vulnerabilities in the traceroute-ng package which may
> lead to a local root compromise, depending on the actual OS running on.
traceroute-nanog drops root privileges right after allocating the raw ip-
and the raw icmp-socket. So, the attacker does not get root privileges.
> Anyway, in my opinion the code of traceroute-ng breaks with many
> fundamental secure coding practices, it is hard to believe that such
> crap has been included on major distributions carrying the suid bit.
It uses setuid() and isn't shipped anymore since 8.1.
---
And now the things Carl Livitt <carl (at) learningshophull.co (dot) uk [email concealed]> founds.
> while ((n = read(s, buf, sizeof(buf))) > 0) {
> strcpy((char *)&reply[count],(char *)buf);
> count += n;
> }
This one is already fixed.
> strncpy(tmp4,i,(j-i)); // OVERFLOW
> tmp4[j-i] = '\0';
This buffer overflow was already found by Sebastian Krahmer
<krahmer (at) suse (dot) de [email concealed]>. The fix is included in the upcoming traceroute-nanog
security update.
Bye,
Thomas
--
Thomas Biege <thomas (at) suse (dot) de [email concealed]>
SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg
Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83
--
Over thinking, Over analyzing, seperates the body from the mind.
- Maynard James Keenan
[ reply ]