Hi,
SuSE ships a different implementation of traceroute in the distributions.
It is not susceptible to the attacks as mentioned by other Linux vendors.
Regards,
Roman Drahtmüller.
--
- -
| Roman Drahtmüller
Hi, according to bugtraq post from Chris Evans (chris@ferret.lmh.ox.ac.uk) from Sep. 29th traceroute version 1.4a5 seems to be vulnerable; Chris Evans wrote: "VERSIONS AFFECTED ================= (Where LBNL = Lawrence Berkeley National Laboratory) Affected: LBNL 1.4a5 Safe: LBNL 1.4a7 Safe: RedHat7.0 traceroute (1.4a5 + a patch) [...] First, some background reading, namely Solar Designer's excellent discussion on the generic exploitation of heap overflows; http://www.securityfocus.com/archive/1/71598 The discussion shows nicely how heap mismanagement is fatal. However, overflowing a malloc()'ed buffer is not the only bad thing you can do to the heap. In the case of traceroute, there was a reliable way of making traceroute call free() on a pointer that was not obtained with malloc(). This flaw in traceroute (if your version is vulnerable) is tickled like this: traceroute -g 1 -g 1 (I think it didn't need a hostname) Segmentation fault Looking at the code, there is a file "savestr.c", which contains a function savestr(). This savestr() function is essentially a strdup() function, but with the difference that an attempt is made to cut down on the number of malloc() calls. This is accomplished by malloc()'ing a large block and handing out pointers _inside_ this block as savestr() is repeatedly called." The traceroute version we use on several of our boxes running SuSE 6.0 -> 6.2 (1.4a5) segfaults by issuing the traceroute command line mentioned above. Is this (SuSE-)traceroute version really unsusceptible of being exploited with some piece of evil code? Why? Boris --- On 01-Oct-00 Roman Drahtmueller wrote:
Hi,
SuSE ships a different implementation of traceroute in the distributions. It is not susceptible to the attacks as mentioned by other Linux vendors.
Regards, Roman Drahtm�ller. -- - - | Roman Drahtm�ller
"Caution: Cape does not | SuSE GmbH - Security enable user to fly." | N�rnberg, Germany (Batman Costume warning label) | [...]
Hi, On our Linux-Versions I cannot reproduce the segfaults you describe. SuSE 6.1/6.2 should have traceroute 2.9.3 from nkita-99.11.11-0.rpm (or later) SuSE 6.4: traceroute 6.0 GOLD from nkitb-2000.7.11-0.rpm (or later) SuSE 7.0: traceroute 6.0 GOLD from nkitb-2000.7.16-4.rpm (or later) Maybe you didn't apply all available patches? Regards, Martin On Mon, 02 Oct 2000, bolo@lupa.de wrote:
This flaw in traceroute (if your version is vulnerable) is tickled like this:
traceroute -g 1 -g 1 (I think it didn't need a hostname) Segmentation fault ... The traceroute version we use on several of our boxes running SuSE 6.0 -> 6.2 (1.4a5) segfaults by issuing the traceroute command line mentioned above. Is this (SuSE-)traceroute version really unsusceptible of being exploited with some piece of evil code? Why? -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany Tel.: +49-251-83-33557 Fax: +49-251-83-39083 E-Mail (work): lewelin@uni-muenster.de
Hi, On our Linux-Versions I cannot reproduce the segfaults you describe. SuSE 6.1/6.2 should have traceroute 2.9.3 from nkita-99.11.11-0.rpm (or later) SuSE 6.4: traceroute 6.0 GOLD from nkitb-2000.7.11-0.rpm (or later) SuSE 7.0: traceroute 6.0 GOLD from nkitb-2000.7.16-4.rpm (or later)
Maybe you didn't apply all available patches?
Regards, Martin
I'll have a closer look at it again.
Roman.
--
- -
| Roman Drahtmüller
bolo@lupa.de wrote:
The traceroute version we use on several of our boxes running SuSE 6.0 -> 6.2 (1.4a5) segfaults by issuing the traceroute command line mentioned above. Is this (SuSE-)traceroute version really unsusceptible of being exploited with some piece of evil code? Why?
At least SuSE 6.4 doesn't contain the LBNL traceroute anymore but another implementation of traceroute as Roman already said. This version seems to be safe. Ingo -- ---------------------------- Ingo Klöcker Lehrstuhl A für Mathematik RWTH Aachen 52056 Aachen ----------------------------
participants (4)
-
bolo@lupa.de
-
Ingo Kloecker
-
Martin Leweling
-
Roman Drahtmueller