Vulnerability Development mailing list archives
Re: Local root through vulnerability in ping on linux.
From: Martin MaD Douda <martin () DOUDA NET>
Date: Mon, 21 Aug 2000 17:36:55 +0200
I've looked at RedHat 6.2 ping's behavior:
$ ping -c 1 -s 65690 localhost
Error: packet size 65690 is too large. Maximum is 65507
/* so no security issue here - does not segfault as regular user - it
was reported */
# ping -c 1 -s 65690 localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
/* There is some error somewhere - it was reported */
# strace ping -c 1 -s 65690 localhost
execve("/bin/ping", ["ping", "-c", "1", "-s", "65690", "localhost"], [/* 22 vars */]) = 0
[snip]
write(2, "WARNING: packet size 65690 is to"..., 58WARNING: packet size 65690 is too large. Maximum is 65507
) = 58
brk(0x8070000) = 0x8070000
getpid() = 19319
fstat64(0x1, 0xbffff1d4) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
/* Nothing really interesting & surprising from strace, let's go on... */
# ltrace ping -c 1 -s 65690 localhost
__libc_start_main(0x08048e34, 6, 0xbffffaf4, 0x08048a1c, 0x0804b0bc <unfinished ...>
[snip]
perror("ping: sendto") = <void>
ping: sendto: No buffer space available
printf("ping: wrote %s %d chars, ret=%d\n",
"EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 65698, -1) = 33
recvfrom(3, 0x0805e1a8, 65826, 0, 0xbffffa24 <unfinished ...>
--- SIGINT (Interrupt) ---
/* here it was waiting for Ctrl-C or timeout */
sigaction(14, 0xbffff5e4, 0, 12, 65826) = 0
_IO_putc('\n', 0x4011f980) = 10
fflush(0x4011f980PING (127.0.0.1) from 127.0.0.1 : 65690(65718) bytes of data.
ping: wrote 65698 chars, ret=-1
) = 0
printf("--- %s ping statistics ---\n",
"EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"...) = 25
printf("%ld packets transmitted, ", 1) = 23
printf("%ld packets received, ", 0) = 20
printf("%d%% packet loss", 100) = 16
_IO_putc('\n', 0x4011f980) = 10
exit(1) = <void>
__deregister_frame_info(0x0804d00c, 0xbffff660, 0x0804b0d1, 0x401211ec, 0xbffff674) = 0x0804d1b4
--- ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
+++ exited (status 1) +++
Ping does not fail when ltraced. It correctly sends packet (and this
packet does not return, IMHO due to ICMP packet size limits).
I think kernel is not suspicios anymore.
And it is either ping or libc bug, not security issue.
My system is RedHat 6.2 with 2.4.0-test7-pre3+reiserfs. The kernel is only
(relevant) thing modified from original RH6.2.
glibc is 2.1.3-15
iputils (where ping lives) is 20000121-2 - looks like some development
version? sounds like suspicios development version?
Martin
--------------------------------------------------------------------------------
Martin "MaD" Douda
WEB:http://martin.douda.net/ EMAIL:martin () douda net
SMS:mad () gate mobil cz (up to 160 characters) PHONE:+420603752779
PGP:ID=0x6FE43023 Fingerprint:E495 11DA EF6E 0DD6 965A 54F3 888E CC9E 6FE4 3023
--------------------------------------------------------------------------------
If the automobile had followed the same development cycle as the computer, a
Rolls-Royce today would cost $100, get a million miles to the gallon, and
explode once a year, killing everyone inside.
Current thread:
- Local root through vulnerability in ping on linux. Gerrie (Aug 19)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 19)
- Re: Local root through vulnerability in ping on linux. Gerrie (Aug 20)
- Re: Local root through vulnerability in ping on linux. Tymm Twillman (Aug 20)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 20)
- Re: Local root through vulnerability in ping on linux. Samu (Aug 20)
- Re: Local root through vulnerability in ping on linux. Pedro Hugo (Aug 20)
- Re: Local root through vulnerability in ping on linux. Peter Batenburg (Aug 21)
- Re: Local root through vulnerability in ping on linux. PatrickM (Aug 21)
- Re: Local root through vulnerability in ping on linux. Martin MaD Douda (Aug 21)
- Re: Local root through vulnerability in ping on linux. Gerrie (Aug 20)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 19)
- <Possible follow-ups>
- Re: Local root through vulnerability in ping on linux. Goense, Jacob (Aug 20)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)
- Re: Local root through vulnerability in ping on linux. Rodrigo Barbosa (aka morcego) (Aug 21)
- Re: Local root through vulnerability in ping on linux. Murvai-Buzogany Laszlo (Aug 21)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 21)
- Re: Local root through vulnerability in ping on linux. Daniel Jacobowitz (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Hue-Bond (Aug 21)
- Re: Local root through vulnerability in ping on linux. Ronald Huizer (Aug 22)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)
