Vulnerability Development mailing list archives
Re: Local root through vulnerability in ping on linux.
From: Martin MaD Douda <martin () DOUDA NET>
Date: Mon, 21 Aug 2000 17:36:55 +0200
I've looked at RedHat 6.2 ping's behavior: $ ping -c 1 -s 65690 localhost Error: packet size 65690 is too large. Maximum is 65507 /* so no security issue here - does not segfault as regular user - it was reported */ # ping -c 1 -s 65690 localhost WARNING: packet size 65690 is too large. Maximum is 65507 Segmentation fault (core dumped) /* There is some error somewhere - it was reported */ # strace ping -c 1 -s 65690 localhost execve("/bin/ping", ["ping", "-c", "1", "-s", "65690", "localhost"], [/* 22 vars */]) = 0 [snip] write(2, "WARNING: packet size 65690 is to"..., 58WARNING: packet size 65690 is too large. Maximum is 65507 ) = 58 brk(0x8070000) = 0x8070000 getpid() = 19319 fstat64(0x1, 0xbffff1d4) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000 ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ /* Nothing really interesting & surprising from strace, let's go on... */ # ltrace ping -c 1 -s 65690 localhost __libc_start_main(0x08048e34, 6, 0xbffffaf4, 0x08048a1c, 0x0804b0bc <unfinished ...> [snip] perror("ping: sendto") = <void> ping: sendto: No buffer space available printf("ping: wrote %s %d chars, ret=%d\n", "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"..., 65698, -1) = 33 recvfrom(3, 0x0805e1a8, 65826, 0, 0xbffffa24 <unfinished ...> --- SIGINT (Interrupt) --- /* here it was waiting for Ctrl-C or timeout */ sigaction(14, 0xbffff5e4, 0, 12, 65826) = 0 _IO_putc('\n', 0x4011f980) = 10 fflush(0x4011f980PING (127.0.0.1) from 127.0.0.1 : 65690(65718) bytes of data. ping: wrote 65698 chars, ret=-1 ) = 0 printf("--- %s ping statistics ---\n", "EOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOFEOF"...) = 25 printf("%ld packets transmitted, ", 1) = 23 printf("%ld packets received, ", 0) = 20 printf("%d%% packet loss", 100) = 16 _IO_putc('\n', 0x4011f980) = 10 exit(1) = <void> __deregister_frame_info(0x0804d00c, 0xbffff660, 0x0804b0d1, 0x401211ec, 0xbffff674) = 0x0804d1b4 --- ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss +++ exited (status 1) +++ Ping does not fail when ltraced. It correctly sends packet (and this packet does not return, IMHO due to ICMP packet size limits). I think kernel is not suspicios anymore. And it is either ping or libc bug, not security issue. My system is RedHat 6.2 with 2.4.0-test7-pre3+reiserfs. The kernel is only (relevant) thing modified from original RH6.2. glibc is 2.1.3-15 iputils (where ping lives) is 20000121-2 - looks like some development version? sounds like suspicios development version? Martin -------------------------------------------------------------------------------- Martin "MaD" Douda WEB:http://martin.douda.net/ EMAIL:martin () douda net SMS:mad () gate mobil cz (up to 160 characters) PHONE:+420603752779 PGP:ID=0x6FE43023 Fingerprint:E495 11DA EF6E 0DD6 965A 54F3 888E CC9E 6FE4 3023 -------------------------------------------------------------------------------- If the automobile had followed the same development cycle as the computer, a Rolls-Royce today would cost $100, get a million miles to the gallon, and explode once a year, killing everyone inside.
Current thread:
- Local root through vulnerability in ping on linux. Gerrie (Aug 19)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 19)
- Re: Local root through vulnerability in ping on linux. Gerrie (Aug 20)
- Re: Local root through vulnerability in ping on linux. Tymm Twillman (Aug 20)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 20)
- Re: Local root through vulnerability in ping on linux. Samu (Aug 20)
- Re: Local root through vulnerability in ping on linux. Pedro Hugo (Aug 20)
- Re: Local root through vulnerability in ping on linux. Peter Batenburg (Aug 21)
- Re: Local root through vulnerability in ping on linux. PatrickM (Aug 21)
- Re: Local root through vulnerability in ping on linux. Martin MaD Douda (Aug 21)
- Re: Local root through vulnerability in ping on linux. Gerrie (Aug 20)
- Re: Local root through vulnerability in ping on linux. Ralf-Philipp Weinmann (Aug 19)
- <Possible follow-ups>
- Re: Local root through vulnerability in ping on linux. Goense, Jacob (Aug 20)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)
- Re: Local root through vulnerability in ping on linux. Rodrigo Barbosa (aka morcego) (Aug 21)
- Re: Local root through vulnerability in ping on linux. Murvai-Buzogany Laszlo (Aug 21)
- Re: Local root through vulnerability in ping on linux. Michal Zalewski (Aug 21)
- Re: Local root through vulnerability in ping on linux. Daniel Jacobowitz (Aug 21)
- Re: Local root through vulnerability in ping on linux. Bluefish (P.Magnusson) (Aug 22)
- Re: Local root through vulnerability in ping on linux. Hue-Bond (Aug 21)
- Re: Local root through vulnerability in ping on linux. Ronald Huizer (Aug 22)
- Re: Local root through vulnerability in ping on linux. Joe User (Aug 21)