Re: mtr 0.45, 0.46

[R.E.Wolff () BitWizard nl (Rogier Wolff)]

Przemyslaw Frasunek wrote:
> Few days ago, a new version of mtr has been released. Authors wrote

Ah. That's me..... :-) 

As usual, I would have preferred to have heard from you before
posting to BugTraq. 

> in CHANGELOG, that they fixed a non-exploitable buffer overflow.
> In fact, this vulnerability is very easly exploitable and allows
> attacker to gain access to raw socket, which makes possible ip spoofing
> and other malicious network activity.

Have you read the SECURITY document that comes with mtr? It explains
exactly that if you break mtr security, you will get access to the raw
socket.

If you (or your distribution) install mtr setuid, then that's the risk
you take. The mtr distribution doesn't install mtr setuid. Now, I must
confess that I do it myself too. But I know the risks I'm taking
(none: All people who have access to the setuid binary also have the
root password). I'm afraid that of course distributions will have to make
the decision for their users and will chose for 'setuid'. mtr is indeed
kind of useless without that. 

By the way, if you link mtr with gtk and/or curses, then I'm convinced
that you'll be able to find security bugs in those libraries which
allow you to do the same thing....

Anyway, from a security viewpoint, having access to a raw socket is
something that requires root access to get, so normally that will
actually GIVE you root access once you have it. As bugs in the
libraries that mtr links to are almost certain, mtr has root leaks as
soon as it's installed setuid.

I'm glad that the fixes predate the eploits again. :-)

                        Roger. 

-- 
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* There are old pilots, and there are bold pilots. 
* There are also old, bald pilots.