Bugtraq mailing list archives
Re: riptrace.c
From: chris () NETMONGER NET (Christopher Masto)
Date: Thu, 8 Jan 1998 17:40:16 -0500
On Thu, Jan 08, 1998 at 03:19:03PM -0600, Aleph One wrote:
More goodies from rootshell.com. http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/riptrace.c /* * BSD 4.4 based routed trace file exploit * * (C) 1997 Rootshell [ http://www.rootshell.com/ ] * * <info () rootshell com> * * routed has the ability for a packet to be sent to the daemon that will * turn on debug mode. The packet is able to specify the file which is * later opened without any checks being placed on that file open. * * Result: You can append to any file on the filesystem. * * The following syscall is made AS ROOT. * * ftrace = fopen(file, "a"); * * This is obviously a LARGE problem.
A cursory examination of the FreeBSD routed sources indicates... input.c handles the command this way: case RIPCMD_TRACEON: case RIPCMD_TRACEOFF: /* verify message came from a privileged port */ if (ntohs(from->sin_port) > IPPORT_RESERVED) { msglog("trace command from untrusted port on %s", naddr_ntoa(FROM_NADDR)); return; } if (aifp == 0) { msglog("trace command from unknown router %s", naddr_ntoa(FROM_NADDR)); return; } if (rip->rip_cmd == RIPCMD_TRACEON) { rip->rip_tracefile[cc-4] = '\0'; set_tracefile((char*)rip->rip_tracefile, "trace command: %s\n", 0); } else { trace_off("tracing turned off by %s\n", naddr_ntoa(FROM_NADDR)); } return; trace.c then has these checks in the set_tracefile function: /* Allow the file specified with "-T file" to be reopened, * but require all other names specified over the net to * match the official path. The path can specify a directory * in which the file is to be created. */ if (strcmp(filename, inittracename) #ifdef _PATH_TRACE && (strncmp(filename, _PATH_TRACE, sizeof(_PATH_TRACE)-1) || strstr(filename,"../") || 0 > stat(_PATH_TRACE, &stbuf)) #endif ) { msglog("wrong trace file \"%s\"", filename); return; } /* If the new tracefile exists, it must be a regular file. */ if (stat(filename, &stbuf) >= 0 && (stbuf.st_mode & S_IFMT) != S_IFREG) { msglog("wrong type (%#x) of trace file \"%s\"", stbuf.st_mode, filename); return; } fn = filename; } if (fn != 0) { n_ftrace = fopen(fn, "a"); ... This version seems to have come from SGI at some point. -- = Christopher Masto = chris () netmonger net = http://www.netmonger.net/ = = NetMonger Communications = finger for PGP key = $19.95/mo unlimited access = = Director of Operations = (516) 221-6664 = mailto:info () netmonger net = "... who'd want a lossy TIFF?" -- Kibo
Current thread:
- Security flaw in either DIT TransferPro or Solaris The Man (Jan 05)
- Re: Security flaw in either DIT TransferPro or Solaris The Man (Jan 07)
- NetWare NFS Andrew J. Anderson (Jan 08)
- New DOS exploit for NT and Win95 (CONFIRMED?) Aleph One (Jan 08)
- bonk.c Aleph One (Jan 08)
- Re: bonk.c Jord Sonneveld (Jan 10)
- riptrace.c Aleph One (Jan 08)
- Re: riptrace.c Christopher Masto (Jan 08)
- Re: riptrace.c Alfred Huger (Jan 08)
- Nifty Security hole on Several NT Based Web Servers Aleph One (Jan 09)
- Re: riptrace.c Theo de Raadt (Jan 09)
- Re: riptrace.c Hubert Feyrer (Jan 08)
- Source for NEWTEAR.C Aleph One (Jan 09)
- Re: riptrace.c Christopher Masto (Jan 08)