From owner-freebsd-bugs Sun Sep 8 05:10:03 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA03743 for bugs-outgoing; Sun, 8 Sep 1996 05:10:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA03737; Sun, 8 Sep 1996 05:10:02 -0700 (PDT) Resent-Date: Sun, 8 Sep 1996 05:10:02 -0700 (PDT) Resent-Message-Id: <199609081210.FAA03737@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, karl@Codebase.mcs.net Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA03646 for ; Sun, 8 Sep 1996 05:03:13 -0700 (PDT) Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id FAA01067 for ; Sun, 8 Sep 1996 05:03:12 -0700 (PDT) Received: (from root@localhost) by Codebase.mcs.net (8.7.5/8.6.12) id HAA14432; Sun, 8 Sep 1996 07:01:56 -0500 (CDT) Message-Id: <199609081201.HAA14432@Codebase.mcs.net> Date: Sun, 8 Sep 1996 07:01:56 -0500 (CDT) From: Karl Reply-To: karl@Codebase.mcs.net To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1 Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1581 >Category: bin >Synopsis: Traceroute can be exploited to gain root privileges >Confidential: yes >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 8 05:10:01 PDT 1996 >Last-Modified: >Originator: Karl >Organization: MCSNet >Release: FreeBSD 2.2-CURRENT i386 >Environment: None >Description: Traceroute can be easily exploited due to lack of bounds checking and SUID privileges to gain root access. >How-To-Repeat: Corrupt a PTR record to return more than approximately 350 bytes of embedded i386 NOPs followed by asm code to call "execvp("/bin/sh")". Root shell will follow :-) >Fix: Diff enclosed fixes problem. Two things are done: 1) strcpys replaced with strncpys specifying length 2) SUID privileges relinquished once socket is acquired; they are no longer necessary. PLEASE CONFIRM COMMIT OF THIS CHANGE. Index: traceroute.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/traceroute/traceroute.c,v retrieving revision 1.10 diff -u -r1.10 traceroute.c --- traceroute.c 1996/08/21 05:59:19 1.10 +++ traceroute.c 1996/09/08 11:54:43 @@ -427,7 +427,7 @@ to->sin_family = AF_INET; to->sin_addr.s_addr = inet_addr(av[0]); if (to->sin_addr.s_addr != -1) { - (void) strcpy(hnamebuf, av[0]); + (void) strncpy(hnamebuf, av[0], sizeof(hnamebuf)); hostname = hnamebuf; } else { hp = gethostbyname(av[0]); @@ -540,7 +540,7 @@ } #endif IP_HDRINCL } - + setuid(getuid()); Fprintf(stderr, "traceroute to %s (%s)", hostname, inet_ntoa(to->sin_addr)); if (source) @@ -869,7 +869,7 @@ first = 0; if (gethostname(domain, MAXHOSTNAMELEN) == 0 && (cp = strchr(domain, '.'))) - (void) strcpy(domain, cp + 1); + (void) strncpy(domain, cp + 1, sizeof(domain)); else domain[0] = 0; } @@ -884,7 +884,7 @@ } } if (cp) - (void) strcpy(line, cp); + (void) strncpy(line, cp, sizeof(line)); else { in.s_addr = ntohl(in.s_addr); #define C(x) ((x) & 0xff) >Audit-Trail: >Unformatted: