Re: Very interesting traceroute flaw

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

Batch of responses in this thread.

Felix Kronlage <fkr () grummel net>:

  OpenBSD 2.7-stable (patch_branch): safe
  OpenBSD 2.8-beta: safe

jura <jura () technolust cx>:

  Redhat 6.0 is affected as well (using ver. traceroute-1.4a5-16

Carl Brock Sides <csides () autozone com>:

  For Debian users:

  Affected: 1.4a5-2 (distributed with Potato)
  Safe: 1.4a5-3 (distributed with Woody)


  According to the Debian changelog:

  traceroute (1.4a5-3) stable unstable; urgency=low

  * Fixed a bug where free(3) was called on non-malloced memory.

"Venkat RK Reddy" <vpothams () cisco com>:

  It seems Caldera (atleast 2.4 e server) has the faulty version.  It readily
  produces seg fault.

Jerry Walsh <jerry () aardvark ie>:

  For the record, FreeBSD 3.5 isn't vunerable

  [jw@llama] (~): traceroute -g 1 -g 1
  Version 1.3.2
  Usage: traceroute [-dnrv] [-w wait] [-m max_ttl] [-M min_ttl] [-P proto]
            [-p port#] [-q nqueries] [-t tos] [-s src_addr] [-g gateway]
            host [data_size]
  [jw@llama] (~):

  Specifying a hostname with these switches also works without a seg. fault.

Cooper <Cooper () Linuxfan com>:

  Slackware 4.0 and 7.0 both use a traceroute that I can't seem to get
  version information out of via command line switches, but a quick
  "strings `which traceroute` | more" revealed this little piece of info:
  @(#) Copyright (c) 1990, 1993
          The Regents of the University of California.  All rights
  reserved.
  @(#)traceroute.c        8.1 (Berkeley) 6/6/93

  It doesn't know the -g switch, but doesn't segfault when you supply
  multiple instances of an existing switch.
  At least for as far as this bug is concerned, Slack is safe.

A Guy Called Tyketto <tyketto () wizard com>:

  I can also confirm that Slackware 7.0 and 7.1 are not affected by
  this, as they still do not have a -g option.

  The following machines, I have also tested this on, and receive no
  error:

  AIX 4.0: traceroute -g 1 -g 1 returns unknown host 1.

  FreeBSD 3.3: traceoute -g 1 -g 1 returns the usage and command line
  flags.

  Digital Unix 3.2: as above, tries to traceroute to 0.0.0.1.

  The only machine I have access to that IS vulnerable to this, is
  Solaris 2.5.1. traceroute -g 1 -g 1 returns 'Bus error'. There may be others,
  but These I have tried so far. YMMV.

Tony_Jeffries () Consultec-inc com:

  I tested this on a Mandrake 7.0 machine, and it segfaults there, too. Not a
  surprise, since Mandrake is based on Red Hat.

"Dehner, Ben" <Btd () valmont com>;

  For HP-UX 10.20 and 11.00:

  Traceroute -g 1 -g 1 attempts to traceroute to 0.0.0.1; not apparently
  vulnerable.

Joey Maier <maierj () home com>:

  Perhaps the slackware version is different than the redhat version.
  ========================================================
  Red Hat Linux release 6.1 (Cartman)
  Kernel 2.2.12-20 on an i686
  login: jmaier
  Password:
  Last login: Fri Sep 29 10:47:46 from cypress
  [jmaier@tick jmaier]$ /usr/sbin/traceroute  -g 1 -g 1
  Segmentation fault
  [jmaier@tick jmaier]$

Kris Kennaway <kris () FreeBSD org>:

  Safe:       All versions of FreeBSD

Martin Ferrari <mferrari () decidir net>:

  I've executed /usr/sbin/traceroute -g 1 -g 1 on Mandrake 7.1, and it
  crashes.

Gossi The Dog <gossi () owned lab6 com>:

  Cobalt Linux 5.0, with all security patches released on ftp.cobalt.com:

  [gossi@owned gossi]$ /usr/sbin/traceroute -g 1 -g 1
  Segmentation fault