Bugtraq mailing list archives
Re: riptrace.c
From: chris () NETMONGER NET (Christopher Masto)
Date: Thu, 8 Jan 1998 17:40:16 -0500
On Thu, Jan 08, 1998 at 03:19:03PM -0600, Aleph One wrote:
More goodies from rootshell.com. http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/riptrace.c /* * BSD 4.4 based routed trace file exploit * * (C) 1997 Rootshell [ http://www.rootshell.com/ ] * * <info () rootshell com> * * routed has the ability for a packet to be sent to the daemon that will * turn on debug mode. The packet is able to specify the file which is * later opened without any checks being placed on that file open. * * Result: You can append to any file on the filesystem. * * The following syscall is made AS ROOT. * * ftrace = fopen(file, "a"); * * This is obviously a LARGE problem.
A cursory examination of the FreeBSD routed sources indicates...
input.c handles the command this way:
case RIPCMD_TRACEON:
case RIPCMD_TRACEOFF:
/* verify message came from a privileged port */
if (ntohs(from->sin_port) > IPPORT_RESERVED) {
msglog("trace command from untrusted port on %s",
naddr_ntoa(FROM_NADDR));
return;
}
if (aifp == 0) {
msglog("trace command from unknown router %s",
naddr_ntoa(FROM_NADDR));
return;
}
if (rip->rip_cmd == RIPCMD_TRACEON) {
rip->rip_tracefile[cc-4] = '\0';
set_tracefile((char*)rip->rip_tracefile,
"trace command: %s\n", 0);
} else {
trace_off("tracing turned off by %s\n",
naddr_ntoa(FROM_NADDR));
}
return;
trace.c then has these checks in the set_tracefile function:
/* Allow the file specified with "-T file" to be reopened,
* but require all other names specified over the net to
* match the official path. The path can specify a directory
* in which the file is to be created.
*/
if (strcmp(filename, inittracename)
#ifdef _PATH_TRACE
&& (strncmp(filename, _PATH_TRACE, sizeof(_PATH_TRACE)-1)
|| strstr(filename,"../")
|| 0 > stat(_PATH_TRACE, &stbuf))
#endif
) {
msglog("wrong trace file \"%s\"", filename);
return;
}
/* If the new tracefile exists, it must be a regular file.
*/
if (stat(filename, &stbuf) >= 0
&& (stbuf.st_mode & S_IFMT) != S_IFREG) {
msglog("wrong type (%#x) of trace file \"%s\"",
stbuf.st_mode, filename);
return;
}
fn = filename;
}
if (fn != 0) {
n_ftrace = fopen(fn, "a");
...
This version seems to have come from SGI at some point.
--
= Christopher Masto = chris () netmonger net = http://www.netmonger.net/ =
= NetMonger Communications = finger for PGP key = $19.95/mo unlimited access =
= Director of Operations = (516) 221-6664 = mailto:info () netmonger net =
"... who'd want a lossy TIFF?" -- Kibo
Current thread:
- Security flaw in either DIT TransferPro or Solaris The Man (Jan 05)
- Re: Security flaw in either DIT TransferPro or Solaris The Man (Jan 07)
- NetWare NFS Andrew J. Anderson (Jan 08)
- New DOS exploit for NT and Win95 (CONFIRMED?) Aleph One (Jan 08)
- bonk.c Aleph One (Jan 08)
- Re: bonk.c Jord Sonneveld (Jan 10)
- riptrace.c Aleph One (Jan 08)
- Re: riptrace.c Christopher Masto (Jan 08)
- Re: riptrace.c Alfred Huger (Jan 08)
- Nifty Security hole on Several NT Based Web Servers Aleph One (Jan 09)
- Re: riptrace.c Theo de Raadt (Jan 09)
- Re: riptrace.c Hubert Feyrer (Jan 08)
- Source for NEWTEAR.C Aleph One (Jan 09)
- Re: riptrace.c Christopher Masto (Jan 08)