Home page logo

bugtraq logo Bugtraq mailing list archives

Format String bug in TrACESroute 6.0 GOLD
From: DownBload <downbload () hotmail com>
Date: 6 Jun 2002 20:13:39 -0000

           DownBload Security Research Lab Advisory
Advisory name: format string bug in TrACESroute 
Advisory number: 4
Application: TrACESroute (traceroute program)
Version affected: 6.0 GOLD, and probably previous versions      
Date: 04.6.2002 
Impact: local user can gain root access 
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: downbload () hotmail com

TrACESroute is just another traceroute program. TrACESroute use RAW SOCKET,
so it must be run under root account, and because of that, traceroute 
has attached suid bit. 

TrACESroute is vulnerable to format string bug. This piece of code cause 

Test this format string bug with:
./traceroute -T %s%s%s localhost

If your users doesn't need traceroute, remove suid bit from it, or:
Replace this: 
With this:
Terminator is variable which can contain line-terminator chars. It can be 
changed with
-T option. Fprintf is just -> #define Fprintf (void)fprintf.

More problems
There are probably more bugs in TrACESroute. I saw lot's of strcpy, 
sprintf etc.,
but i don't have time to check it.

Exploit will be released soon (i hope so :).

Greetz goes to #hr.hackers, and to all my real and virtual friends.     
Special greetz goes to BoyScout, h4z4rd, fi and Fr1c.

PS. Sorry on bad (broken) english.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]