Date: Sat, 27 Jul 1996 08:35:03 -0700 From: Cy Schubert <cy@cwsys.cwent.com> To: security-officer@freebsd.org Cc: freebsd-security@freebsd.org Subject: Ping Message-ID: <199607271535.IAA04804@cwsys.cwent.com>
next in thread | raw e-mail | index | archive | help
I've been catching up with some messages from Bugtraq. It appears that the problem described below matches the code in FreeBSD 2.1R and CURRENT. Following is a patch I've put together based on 2.1R. ------------ Cut here ----------- Ping exposure: The following fragment of code fixes a buffer overflow in ping that can be used to execute arbitrary commands as root. See file ping.bug for more details. --- ping.c.orig Sat Jul 27 08:03:22 1996 +++ ping.c Sat Jul 27 08:05:17 1996 @@ -959,9 +959,9 @@ if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) - (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); + (void)snprintf(buf, 80, "%s", inet_ntoa(*(struct in_addr *)&l)); else - (void)sprintf(buf, "%s (%s)", hp->h_name, + (void)snprintf(buf, 80, "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } ------------ Cut here ----------- Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA06995 for cy; Mon, 22 Jul 1996 14:08:31 -0700 (PDT) X-UIDL: 838175217.004 Resent-From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Resent-Message-Id: <199607222108.OAA06995@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Received: from orca.gov.bc.ca (ORCA.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA07135 for <cschuber@passer.osg.gov.bc.ca>; Mon, 22 Jul 1996 14:08:26 -0700 (PDT) Received: from [128.148.157.143] by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA02425; Mon, 22 Jul 1996 14:08:21 -0700 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24106-25282>; Mon, 22 Jul 1996 17:07:01 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA03283; Mon, 22 Jul 1996 17:06:17 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 194779 for BUGTRAQ@NETSPACE.ORG; Mon, 22 Jul 1996 16:55:37 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id QAA02131 for <BUGTRAQ@NETSPACE.ORG>; Mon, 22 Jul 1996 16:55:24 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from janus.saturn.net (janus.saturn.net [206.42.0.10]) by netspace.org (8.7/8.6.12) with ESMTP id QAA11274 for <bugtraq@netspace.org>; Sun, 21 Jul 1996 16:08:58 -0400 Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9) with SMTP id QAA20089 for <bugtraq@netspace.org>; Sun, 21 Jul 1996 16:09:39 -0400 X-Sender: brian@tcpip Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Brian Mitchell <brian@SATURN.NET> Message-Id: <Pine.LNX.3.91.960721160412.5645A-100000@tcpip> Date: Sun, 21 Jul 1996 16:08:28 -0400 Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG> Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> From: Brian Mitchell <brian@saturn.net> Subject: ping To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG> Resent-To: cy@uumail.gov.bc.ca Resent-Date: Mon, 22 Jul 96 14:08:31 -0700 Resent-XMts: smtp There is a (somewhat difficult to exploit) security hole in the ping program (NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based unixes, but I have not checked. pr_addr() has a buffer overflow which makes it possible to execute arbitrary code. You do need a local account, unless you know someone on the system is always doing a ping -v somehost, in which case it may be done remotely. Here is the code in question: /* * pr_addr -- * Return an ascii host address as a dotted quad and optionally with * a hostname. */ char * pr_addr(l) u_long l; { struct hostent *hp; static char buf[80]; if ((options & F_NUMERIC) || !(hp = gethostbyaddr((char *)&l, 4, AF_INET))) (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); else (void)sprintf(buf, "%s (%s)", hp->h_name, inet_ntoa(*(struct in_addr *)&l)); return(buf); } This function is called when ping is running in -v mode (verbose) and it recieves a non-echo related icmp packet. Something like this should take care of it, I would guess: 998c998 < (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); - --- > (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr *)&l));1000c1000 < (void)sprintf(buf, "%s (%s)", hp->h_name, - --- > (void)snprintf(buf, 75, "%s (%s)", hp->h_name, Brian Mitchell brian@saturn.net "I never give them hell. I just tell the truth and they think it's hell" - - H. Truman ------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607271535.IAA04804>