Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: riptrace.c

From: chris () NETMONGER NET (Christopher Masto)
Date: Thu, 8 Jan 1998 17:40:16 -0500

On Thu, Jan 08, 1998 at 03:19:03PM -0600, Aleph One wrote:

More goodies from rootshell.com.

http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/riptrace.c

/*
 * BSD 4.4 based routed trace file exploit
 *
 * (C) 1997 Rootshell [ http://www.rootshell.com/ ]
 *
 * <info () rootshell com>
 *
 * routed has the ability for a packet to be sent to the daemon that will
 * turn on debug mode.  The packet is able to specify the file which is
 * later opened without any checks being placed on that file open.
 *
 * Result: You can append to any file on the filesystem.
 *
 * The following syscall is made AS ROOT.
 *
 * ftrace = fopen(file, "a");
 *
 * This is obviously a LARGE problem.


A cursory examination of the FreeBSD routed sources indicates...

input.c handles the command this way:

        case RIPCMD_TRACEON:
        case RIPCMD_TRACEOFF:
                /* verify message came from a privileged port */
                if (ntohs(from->sin_port) > IPPORT_RESERVED) {
                        msglog("trace command from untrusted port on %s",
                               naddr_ntoa(FROM_NADDR));
                        return;
                }
                if (aifp == 0) {
                        msglog("trace command from unknown router %s",
                               naddr_ntoa(FROM_NADDR));
                        return;
                }
                if (rip->rip_cmd == RIPCMD_TRACEON) {
                        rip->rip_tracefile[cc-4] = '\0';
                        set_tracefile((char*)rip->rip_tracefile,
                                      "trace command: %s\n", 0);
                } else {
                        trace_off("tracing turned off by %s\n",
                                  naddr_ntoa(FROM_NADDR));
                }
                return;

trace.c then has these checks in the set_tracefile function:

                /* Allow the file specified with "-T file" to be reopened,
                 * but require all other names specified over the net to
                 * match the official path.  The path can specify a directory
                 * in which the file is to be created.
                 */
                if (strcmp(filename, inittracename)
#ifdef _PATH_TRACE
                    && (strncmp(filename, _PATH_TRACE, sizeof(_PATH_TRACE)-1)
                        || strstr(filename,"../")
                        || 0 > stat(_PATH_TRACE, &stbuf))
#endif
                    ) {
                        msglog("wrong trace file \"%s\"", filename);
                        return;
                }

                /* If the new tracefile exists, it must be a regular file.
                 */
                if (stat(filename, &stbuf) >= 0
                    && (stbuf.st_mode & S_IFMT) != S_IFREG) {
                        msglog("wrong type (%#x) of trace file \"%s\"",
                               stbuf.st_mode, filename);
                        return;
                }
                fn = filename;
        }
        if (fn != 0) {
                n_ftrace = fopen(fn, "a");
                ...


This version seems to have come from SGI at some point.
--
= Christopher Masto        = chris () netmonger net = http://www.netmonger.net/  =
= NetMonger Communications = finger for  PGP key = $19.95/mo unlimited access =
= Director of Operations   =   (516)  221-6664   = mailto:info () netmonger net  =

    "... who'd want a lossy TIFF?"  -- Kibo
Previous By Date Next
Previous By Thread Next

Current thread: