[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Buffer overflow in traceroute

To: bugs_(_at_)_openbsd_(_dot_)_org
Subject: Buffer overflow in traceroute
From: Kevin Vajk <kvajk_(_at_)_ricochet_(_dot_)_net>
Date: Sat, 13 Jun 1998 17:28:41 -0700 (PDT)
Delivery-date: Sat Jun 13 17:30:27 1998

(Yes, I know it drops privileges immediately.  But since it holds a raw
socket, it's a security liability.  Besides, this is really in some
ways a remote attack, so it matters even to non-setuid programs.)

On the newly-formed Linux security audit project I've been participating
in, Chris Evans pointed out the danger of mistrusting information returned
from remote nameservers.  In particular, the h_length structure.

Consider the following two lines from OpenBSD's traceroute.c:
    memcpy(&gateway[lsrr], hp->h_addr, hp->h_length)
and
    memcpy(&to.sin_addr, hp->h_addr, hp->h_length);

This is like using strncpy(), only the *remote* nameserver is dictating
how many bytes to copy.  It should be changed to use the sizeof operator,
instead.  Something like:
    memcpy(dest, hp-h_addr, sizeof(dest));

(I recommend grep'ing for h_length on your source tree.  We've been doing
it for Linux, and it's depressing what's been turning up.)

Anyhow, thanks for all your work on making OpenBSD so secure.  It's a real
inspiration.  (And it's finally a proof-of-concept of the common-sense
idea that proactive security really is the best.)

Thanks!

- Kevin Vajk
  <kvajk_(_at_)_ricochet_(_dot_)_net>

Prev by Date: Bugs in installation.
Next by Date: Re: system/490: ypserv randomly conflicts with inetd.conf entries
Previous by thread: Bugs in installation.
Next by thread: Re: system/490: ypserv randomly conflicts with inetd.conf entries
Index(es):
- Date
- Thread

Visit your host, monkey.org