SRT2003-TURKEY-DAY - *novelty* - detecttr.c Trace Route detection vulnerability
*gobble* *gobble*.
-KF
Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team research@xxxxxxxxxxxxx
Team Lead Contact kf@xxxxxxxxxxxxx
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
To learn more about our company, products and services or to request a
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
call us at: 978-263-3829
Quick Summary:
************************************************************************
Advisory Number : SRT2003-TURKEY-DAY *Gobble* *Gobble*
Product : detecttr.c
Version : modified on 11.07.97
Vendor : baldor - http://phrack.org/show.php?p=51&a=3
Class : Remote
Criticality : Low
Operating System(s) : Linux, FreeBSD, and other POSIX-systems
Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com/research/advisories/SRT2003-TURKEY-DAY.txt
Basic Explanation
************************************************************************
High Level Description : detecttr has format strings issues.
What to do : properly format the syslog call and recompile.
Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has proof of concept.
Low Level Description : Phrack Magazine Volume 7, Issue 51 which was
released on September 01, 1997 contained an article titled "Tools for
(paranoid ?) linux users" by an author known as baldor. This article was
featured as part of the "Line Noise" located in section 0x04 from article
03 of 17. In this article the author introduces a program for detecting
traceroute activity. You can find this program in a variety of places
including security archives, unix tool libraries, and search engines.
The program in question is detecttr.c and it contains a remotely
exploitable format strings issue. I have not yet decided if this was a
deliberately placed backdoor or if it was a simple coding mistake.
Either way...line 140 of detecttr.c is the problem child which leads to
potential exploitation. DNS libraries during the time the article was
written may have been ripe for easy exploitation of this issue. Passing
a hostname directly to syslog() without a format specifier is a bad idea
in most cases.
Work Around : Apply the below code change.
change syslog(LOG_NOTICE , buf);
to syslog(LOG_NOTICE , "%s" , buf);
Bugtraq URL : To be assigned.
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales
department at sales@xxxxxxxxxxxxx for further information on how to
obtain proof of concept code.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."