Date: Sat, 27 Jul 1996 08:35:03 -0700 From: Cy Schubert <cy@cwsys.cwent.com> To: security-officer@freebsd.org Cc: freebsd-security@freebsd.org Subject: Ping Message-ID: <199607271535.IAA04804@cwsys.cwent.com>
next in thread | raw e-mail | index | archive | help
I've been catching up with some messages from Bugtraq. It appears
that the problem described below matches the code in FreeBSD 2.1R
and CURRENT.
Following is a patch I've put together based on 2.1R.
------------ Cut here -----------
Ping exposure:
The following fragment of code fixes a buffer overflow in ping that can be
used to execute arbitrary commands as root. See file ping.bug for more
details.
--- ping.c.orig Sat Jul 27 08:03:22 1996
+++ ping.c Sat Jul 27 08:05:17 1996
@@ -959,9 +959,9 @@
if ((options & F_NUMERIC) ||
!(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
- (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
+ (void)snprintf(buf, 80, "%s", inet_ntoa(*(struct in_addr *)&l));
else
- (void)sprintf(buf, "%s (%s)", hp->h_name,
+ (void)snprintf(buf, 80, "%s (%s)", hp->h_name,
inet_ntoa(*(struct in_addr *)&l));
return(buf);
}
------------ Cut here -----------
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
ITSD Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
------- Forwarded Message
Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA06995 for cy; Mon, 22 Jul 1996 14:08:31 -0700 (PDT)
X-UIDL: 838175217.004
Resent-From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Resent-Message-Id: <199607222108.OAA06995@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol
Received: from orca.gov.bc.ca (ORCA.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA07135 for <cschuber@passer.osg.gov.bc.ca>; Mon, 22 Jul 1996 14:08:26 -0700 (PDT)
Received: from [128.148.157.143] by orca.gov.bc.ca (5.4R3.10/200.1.1.4)
id AA02425; Mon, 22 Jul 1996 14:08:21 -0700
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24106-25282>; Mon, 22 Jul 1996 17:07:01 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA03283; Mon, 22 Jul 1996 17:06:17 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
spool id 194779 for BUGTRAQ@NETSPACE.ORG; Mon, 22 Jul 1996 16:55:37
-0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
(8.7/8.6.12) with SMTP id QAA02131 for <BUGTRAQ@NETSPACE.ORG>; Mon,
22 Jul 1996 16:55:24 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from janus.saturn.net (janus.saturn.net [206.42.0.10]) by
netspace.org (8.7/8.6.12) with ESMTP id QAA11274 for
<bugtraq@netspace.org>; Sun, 21 Jul 1996 16:08:58 -0400
Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9)
with SMTP id QAA20089 for <bugtraq@netspace.org>; Sun, 21 Jul 1996
16:09:39 -0400
X-Sender: brian@tcpip
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved-By: Brian Mitchell <brian@SATURN.NET>
Message-Id: <Pine.LNX.3.91.960721160412.5645A-100000@tcpip>
Date: Sun, 21 Jul 1996 16:08:28 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Brian Mitchell <brian@saturn.net>
Subject: ping
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Resent-To: cy@uumail.gov.bc.ca
Resent-Date: Mon, 22 Jul 96 14:08:31 -0700
Resent-XMts: smtp
There is a (somewhat difficult to exploit) security hole in the ping program
(NetKit-B/linux) - I imagine the hole is present in all BSD4.4-Lite based
unixes, but I have not checked.
pr_addr() has a buffer overflow which makes it possible to execute arbitrary
code. You do need a local account, unless you know someone on the system is
always doing a ping -v somehost, in which case it may be done remotely.
Here is the code in question:
/*
* pr_addr --
* Return an ascii host address as a dotted quad and optionally with
* a hostname.
*/
char *
pr_addr(l)
u_long l;
{
struct hostent *hp;
static char buf[80];
if ((options & F_NUMERIC) ||
!(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
(void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
else
(void)sprintf(buf, "%s (%s)", hp->h_name,
inet_ntoa(*(struct in_addr *)&l));
return(buf);
}
This function is called when ping is running in -v mode (verbose) and it
recieves a non-echo related icmp packet.
Something like this should take care of it, I would guess:
998c998
< (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
- ---
> (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr
*)&l));1000c1000
< (void)sprintf(buf, "%s (%s)", hp->h_name,
- ---
> (void)snprintf(buf, 75, "%s (%s)", hp->h_name,
Brian Mitchell brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- - H. Truman
------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607271535.IAA04804>