Bugtraq mailing list archives
Re: Very interesting traceroute flaw
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Sat, 30 Sep 2000 14:10:53 -0700
Batch of responses in this thread. Felix Kronlage <fkr () grummel net>: OpenBSD 2.7-stable (patch_branch): safe OpenBSD 2.8-beta: safe jura <jura () technolust cx>: Redhat 6.0 is affected as well (using ver. traceroute-1.4a5-16 Carl Brock Sides <csides () autozone com>: For Debian users: Affected: 1.4a5-2 (distributed with Potato) Safe: 1.4a5-3 (distributed with Woody) According to the Debian changelog: traceroute (1.4a5-3) stable unstable; urgency=low * Fixed a bug where free(3) was called on non-malloced memory. "Venkat RK Reddy" <vpothams () cisco com>: It seems Caldera (atleast 2.4 e server) has the faulty version. It readily produces seg fault. Jerry Walsh <jerry () aardvark ie>: For the record, FreeBSD 3.5 isn't vunerable [jw@llama] (~): traceroute -g 1 -g 1 Version 1.3.2 Usage: traceroute [-dnrv] [-w wait] [-m max_ttl] [-M min_ttl] [-P proto] [-p port#] [-q nqueries] [-t tos] [-s src_addr] [-g gateway] host [data_size] [jw@llama] (~): Specifying a hostname with these switches also works without a seg. fault. Cooper <Cooper () Linuxfan com>: Slackware 4.0 and 7.0 both use a traceroute that I can't seem to get version information out of via command line switches, but a quick "strings `which traceroute` | more" revealed this little piece of info: @(#) Copyright (c) 1990, 1993 The Regents of the University of California. All rights reserved. @(#)traceroute.c 8.1 (Berkeley) 6/6/93 It doesn't know the -g switch, but doesn't segfault when you supply multiple instances of an existing switch. At least for as far as this bug is concerned, Slack is safe. A Guy Called Tyketto <tyketto () wizard com>: I can also confirm that Slackware 7.0 and 7.1 are not affected by this, as they still do not have a -g option. The following machines, I have also tested this on, and receive no error: AIX 4.0: traceroute -g 1 -g 1 returns unknown host 1. FreeBSD 3.3: traceoute -g 1 -g 1 returns the usage and command line flags. Digital Unix 3.2: as above, tries to traceroute to 0.0.0.1. The only machine I have access to that IS vulnerable to this, is Solaris 2.5.1. traceroute -g 1 -g 1 returns 'Bus error'. There may be others, but These I have tried so far. YMMV. Tony_Jeffries () Consultec-inc com: I tested this on a Mandrake 7.0 machine, and it segfaults there, too. Not a surprise, since Mandrake is based on Red Hat. "Dehner, Ben" <Btd () valmont com>; For HP-UX 10.20 and 11.00: Traceroute -g 1 -g 1 attempts to traceroute to 0.0.0.1; not apparently vulnerable. Joey Maier <maierj () home com>: Perhaps the slackware version is different than the redhat version. ======================================================== Red Hat Linux release 6.1 (Cartman) Kernel 2.2.12-20 on an i686 login: jmaier Password: Last login: Fri Sep 29 10:47:46 from cypress [jmaier@tick jmaier]$ /usr/sbin/traceroute -g 1 -g 1 Segmentation fault [jmaier@tick jmaier]$ Kris Kennaway <kris () FreeBSD org>: Safe: All versions of FreeBSD Martin Ferrari <mferrari () decidir net>: I've executed /usr/sbin/traceroute -g 1 -g 1 on Mandrake 7.1, and it crashes. Gossi The Dog <gossi () owned lab6 com>: Cobalt Linux 5.0, with all security patches released on ftp.cobalt.com: [gossi@owned gossi]$ /usr/sbin/traceroute -g 1 -g 1 Segmentation fault
Current thread:
- Very interesting traceroute flaw Chris Evans (Sep 29)
- Re: Very interesting traceroute flaw Sylvain Robitaille (Sep 29)
- Re: Very interesting traceroute flaw Martin Peikert (Sep 29)
- Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Casper Dik (Sep 29)
- Re: Very interesting traceroute flaw pedward (Sep 30)
- Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Elias Levy (Sep 30)