Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 8 Sep 1996 07:01:56 -0500 (CDT)
From:      Karl <karl@Codebase.mcs.net>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1
Message-ID:  <199609081201.HAA14432@Codebase.mcs.net>
Resent-Message-ID: <199609081210.FAA03737@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         1581
>Category:       bin
>Synopsis:       Traceroute can be exploited to gain root privileges
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep  8 05:10:01 PDT 1996
>Last-Modified:
>Originator:     Karl
>Organization:
MCSNet
>Release:        FreeBSD 2.2-CURRENT i386
>Environment:

	None

>Description:

	Traceroute can be easily exploited due to lack of bounds checking
	and SUID privileges to gain root access.

>How-To-Repeat:

	Corrupt a PTR record to return more than approximately 350 bytes
	of embedded i386 NOPs followed by asm code to call "execvp("/bin/sh")".
	Root shell will follow :-)

>Fix:
	
	Diff enclosed fixes problem.  Two things are done:
	1)	strcpys replaced with strncpys specifying length
	2)	SUID privileges relinquished once socket is acquired; they
		are no longer necessary.

	PLEASE CONFIRM COMMIT OF THIS CHANGE.

Index: traceroute.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.10
diff -u -r1.10 traceroute.c
--- traceroute.c	1996/08/21 05:59:19	1.10
+++ traceroute.c	1996/09/08 11:54:43
@@ -427,7 +427,7 @@
 	to->sin_family = AF_INET;
 	to->sin_addr.s_addr = inet_addr(av[0]);
 	if (to->sin_addr.s_addr != -1) {
-		(void) strcpy(hnamebuf, av[0]);
+		(void) strncpy(hnamebuf, av[0], sizeof(hnamebuf));
 		hostname = hnamebuf;
 	} else {
 		hp = gethostbyname(av[0]);
@@ -540,7 +540,7 @@
 		}
 #endif IP_HDRINCL
 	}
-
+	setuid(getuid());
 	Fprintf(stderr, "traceroute to %s (%s)", hostname,
 		inet_ntoa(to->sin_addr));
 	if (source)
@@ -869,7 +869,7 @@
 		first = 0;
 		if (gethostname(domain, MAXHOSTNAMELEN) == 0 &&
 		    (cp = strchr(domain, '.')))
-			(void) strcpy(domain, cp + 1);
+			(void) strncpy(domain, cp + 1, sizeof(domain));
 		else
 			domain[0] = 0;
 	}
@@ -884,7 +884,7 @@
 		}
 	}
 	if (cp)
-		(void) strcpy(line, cp);
+		(void) strncpy(line, cp, sizeof(line));
 	else {
 		in.s_addr = ntohl(in.s_addr);
 #define C(x)	((x) & 0xff)
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609081201.HAA14432>