Bugtraq mailing list archives
Re: ping
From: marekm () i17linuxb ists pwr wroc pl (Marek Michalkiewicz)
Date: Tue, 23 Jul 1996 01:30:36 +0200
Brian Mitchell:
There is a (somewhat difficult to exploit) security hole in the ping program (NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based unixes, but I have not checked.
[snip]
Something like this should take care of it, I would guess: 998c998 < (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); ---(void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr*)&l));1000c1000 < (void)sprintf(buf, "%s (%s)", hp->h_name, ---(void)snprintf(buf, 75, "%s (%s)", hp->h_name,
Well, not all systems have snprinf :-(. (It is in reasonably current versions of *BSD and Linux libc, but not on many older systems.) Anyway, just wondering why the standard version of ping doesn't do setuid(getuid()) right after socket(AF_INET, SOCK_RAW, ...). No other code should need root privileges. The version of ping supplied with Debian Linux does this, with the added bonus that ps shows who is running ping (instead of just showing "root"). While we are at ping bugs: at least some versions allow flooding the network using the -l option as ordinary luser (just specify a large number of packets to send quickly). Again, Debian Linux doesn't have this problem, but the original ping-5.9 does. Regards, Marek
Current thread:
- HPUX sam_exec bogus technician (Jul 18)
- <Possible follow-ups>
- Re: HPUX sam_exec Matthew G. Harrigan (Jul 18)
- Re: HPUX sam_exec Kent Hamilton (Jul 19)
- quotas? maybe you're not seeing all of it Brett L. Hawn (Jul 21)
- whoops.. addendum Brett L. Hawn (Jul 21)
- ping Brian Mitchell (Jul 21)
- ping Brian Mitchell (Jul 21)