mailing list archives
Re: Very interesting traceroute flaw
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Sat, 30 Sep 2000 14:10:53 -0700
Batch of responses in this thread.
Felix Kronlage <fkr () grummel net>:
OpenBSD 2.7-stable (patch_branch): safe
OpenBSD 2.8-beta: safe
jura <jura () technolust cx>:
Redhat 6.0 is affected as well (using ver. traceroute-1.4a5-16
Carl Brock Sides <csides () autozone com>:
For Debian users:
Affected: 1.4a5-2 (distributed with Potato)
Safe: 1.4a5-3 (distributed with Woody)
According to the Debian changelog:
traceroute (1.4a5-3) stable unstable; urgency=low
* Fixed a bug where free(3) was called on non-malloced memory.
"Venkat RK Reddy" <vpothams () cisco com>:
It seems Caldera (atleast 2.4 e server) has the faulty version. It readily
produces seg fault.
Jerry Walsh <jerry () aardvark ie>:
For the record, FreeBSD 3.5 isn't vunerable
[jw () llama] (~): traceroute -g 1 -g 1
Usage: traceroute [-dnrv] [-w wait] [-m max_ttl] [-M min_ttl] [-P proto]
[-p port#] [-q nqueries] [-t tos] [-s src_addr] [-g gateway]
[jw () llama] (~):
Specifying a hostname with these switches also works without a seg. fault.
Cooper <Cooper () Linuxfan com>:
Slackware 4.0 and 7.0 both use a traceroute that I can't seem to get
version information out of via command line switches, but a quick
"strings `which traceroute` | more" revealed this little piece of info:
@(#) Copyright (c) 1990, 1993
The Regents of the University of California. All rights
@(#)traceroute.c 8.1 (Berkeley) 6/6/93
It doesn't know the -g switch, but doesn't segfault when you supply
multiple instances of an existing switch.
At least for as far as this bug is concerned, Slack is safe.
A Guy Called Tyketto <tyketto () wizard com>:
I can also confirm that Slackware 7.0 and 7.1 are not affected by
this, as they still do not have a -g option.
The following machines, I have also tested this on, and receive no
AIX 4.0: traceroute -g 1 -g 1 returns unknown host 1.
FreeBSD 3.3: traceoute -g 1 -g 1 returns the usage and command line
Digital Unix 3.2: as above, tries to traceroute to 0.0.0.1.
The only machine I have access to that IS vulnerable to this, is
Solaris 2.5.1. traceroute -g 1 -g 1 returns 'Bus error'. There may be others,
but These I have tried so far. YMMV.
Tony_Jeffries () Consultec-inc com:
I tested this on a Mandrake 7.0 machine, and it segfaults there, too. Not a
surprise, since Mandrake is based on Red Hat.
"Dehner, Ben" <Btd () valmont com>;
For HP-UX 10.20 and 11.00:
Traceroute -g 1 -g 1 attempts to traceroute to 0.0.0.1; not apparently
Joey Maier <maierj () home com>:
Perhaps the slackware version is different than the redhat version.
Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.12-20 on an i686
Last login: Fri Sep 29 10:47:46 from cypress
[jmaier () tick jmaier]$ /usr/sbin/traceroute -g 1 -g 1
[jmaier () tick jmaier]$
Kris Kennaway <kris () FreeBSD org>:
Safe: All versions of FreeBSD
Martin Ferrari <mferrari () decidir net>:
I've executed /usr/sbin/traceroute -g 1 -g 1 on Mandrake 7.1, and it
Gossi The Dog <gossi () owned lab6 com>:
Cobalt Linux 5.0, with all security patches released on ftp.cobalt.com:
[gossi () owned gossi]$ /usr/sbin/traceroute -g 1 -g 1