[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Buffer overflow in traceroute



(Yes, I know it drops privileges immediately.  But since it holds a raw
socket, it's a security liability.  Besides, this is really in some
ways a remote attack, so it matters even to non-setuid programs.)

On the newly-formed Linux security audit project I've been participating
in, Chris Evans pointed out the danger of mistrusting information returned
from remote nameservers.  In particular, the h_length structure.

Consider the following two lines from OpenBSD's traceroute.c:
    memcpy(&gateway[lsrr], hp->h_addr, hp->h_length)
and
    memcpy(&to.sin_addr, hp->h_addr, hp->h_length);

This is like using strncpy(), only the *remote* nameserver is dictating
how many bytes to copy.  It should be changed to use the sizeof operator,
instead.  Something like:
    memcpy(dest, hp-h_addr, sizeof(dest));

(I recommend grep'ing for h_length on your source tree.  We've been doing
it for Linux, and it's depressing what's been turning up.)

Anyhow, thanks for all your work on making OpenBSD so secure.  It's a real
inspiration.  (And it's finally a proof-of-concept of the common-sense
idea that proactive security really is the best.)

Thanks!

- Kevin Vajk
  <kvajk_(_at_)_ricochet_(_dot_)_net>