Hi, according to bugtraq post from Chris Evans (chris@ferret.lmh.ox.ac.uk) from Sep. 29th traceroute version 1.4a5 seems to be vulnerable; Chris Evans wrote: "VERSIONS AFFECTED ================= (Where LBNL = Lawrence Berkeley National Laboratory) Affected: LBNL 1.4a5 Safe: LBNL 1.4a7 Safe: RedHat7.0 traceroute (1.4a5 + a patch) [...] First, some background reading, namely Solar Designer's excellent discussion on the generic exploitation of heap overflows; http://www.securityfocus.com/archive/1/71598 The discussion shows nicely how heap mismanagement is fatal. However, overflowing a malloc()'ed buffer is not the only bad thing you can do to the heap. In the case of traceroute, there was a reliable way of making traceroute call free() on a pointer that was not obtained with malloc(). This flaw in traceroute (if your version is vulnerable) is tickled like this: traceroute -g 1 -g 1 (I think it didn't need a hostname) Segmentation fault Looking at the code, there is a file "savestr.c", which contains a function savestr(). This savestr() function is essentially a strdup() function, but with the difference that an attempt is made to cut down on the number of malloc() calls. This is accomplished by malloc()'ing a large block and handing out pointers _inside_ this block as savestr() is repeatedly called." The traceroute version we use on several of our boxes running SuSE 6.0 -> 6.2 (1.4a5) segfaults by issuing the traceroute command line mentioned above. Is this (SuSE-)traceroute version really unsusceptible of being exploited with some piece of evil code? Why? Boris --- On 01-Oct-00 Roman Drahtmueller wrote:
Hi,
SuSE ships a different implementation of traceroute in the distributions. It is not susceptible to the attacks as mentioned by other Linux vendors.
Regards, Roman Drahtm�ller. -- - - | Roman Drahtm�ller
"Caution: Cape does not | SuSE GmbH - Security enable user to fly." | N�rnberg, Germany (Batman Costume warning label) | [...]