SRT2003-TURKEY-DAY - *novelty* - detecttr.c Trace Route detection vulnerability

[KF <dotslash () snosoft com>]

*gobble* *gobble*.

-KF

Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                           kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-TURKEY-DAY *Gobble* *Gobble*
Product                 : detecttr.c
Version                 : modified on 11.07.97
Vendor                  : baldor - http://phrack.org/show.php?p=51&a=3 
Class                   : Remote
Criticality             : Low
Operating System(s)     : Linux, FreeBSD, and other POSIX-systems


Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com/research/advisories/SRT2003-TURKEY-DAY.txt


Basic Explanation
************************************************************************
High Level Description  : detecttr has format strings issues. 
What to do              : properly format the syslog call and recompile.


Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has proof of concept. 

Low Level Description   : Phrack Magazine Volume 7, Issue 51 which was 
released on September 01, 1997 contained an article titled "Tools for 
(paranoid ?) linux users" by an author known as baldor. This article was
featured as part of the "Line Noise" located in section 0x04 from article 
03 of 17. In this article the author introduces a program for detecting
traceroute activity. You can find this program in a variety of places 
including security archives, unix tool libraries, and search engines. 

The program in question is detecttr.c and it contains a remotely
exploitable format strings issue. I have not yet decided if this was a 
deliberately placed backdoor or if it was a simple coding mistake. 

Either way...line 140 of detecttr.c is the problem child which leads to
potential exploitation. DNS libraries during the time the article was 
written may have been ripe for easy exploitation of this issue. Passing
a hostname directly to syslog() without a format specifier is a bad idea
in most cases. 

Work Around             : Apply the below code change. 

change               syslog(LOG_NOTICE , buf);
to                   syslog(LOG_NOTICE , "%s" , buf);

Bugtraq URL             : To be assigned. 
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at sales () secnetops com for further information on how to 
obtain proof of concept code.

----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."