SuSE Security Announcement: tracerouteOct 16, 2000, 19:24 (0 Talkback[s])
(Other stories by Roman Drahtmueller)
Date: Mon, 16 Oct 2000 16:16:07 +0200 (MEST)
SuSE Security Announcement Package: traceroute Announcement-ID: SuSE-SA:2000:041 Date: Monday, October 16th, 2000 16:10 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 6 SuSE default package: yes Other affected systems: Linux systems using the NANOG traceroute Content of this advisory: 1) security vulnerability resolved: traceroute problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
The security problem in the traceroute program as shipped with SuSE Linux distributions is completely different from the one reported on security mailing lists a few days ago (`traceroute -g 1 -g 1') by Pekka Savola . SuSE distributions do not contain this particular traceroute implementation. The problem in our traceroute was discovered independently and reported to us by H D Moore email@example.com. The problem in the implementation of traceroute that we ship is a format string parsing bug in a routine that can be used to terminate a line in traceroute's output to easily embed the program in cgi scripts as used for web frontends for traceroute. Using a specially crafted sequence of characters on the commandline, it is possile to trick the traceroute program into running arbitrary code as root.
If you want to temporarily work around this security vulnerability, you can disable traceroute for normal users by clearing the suid bit on the file /usr/sbin/traceroute: chmod -s /usr/sbin/traceroute . Do not forget to change the respective line in /etc/permissions to read:
/usr/sbin/traceroute root.root 755We have prepared update packages on our ftp server that eliminate the vulnerability in the traceroute program. Note that the traceroute program is contained in the nkita or the nkitb package, depending on the distribution version.
Download the update package from locations described below and
install the package with the command `rpm -Fhv file.rpm'. The
md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command
i386 Intel Platform:
AXP Alpha Platform:
PPC Power PC Platform:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
A set of security announcements is following this advisory.
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may subscribe:
SuSE's security contact is firstname.lastname@example.org.
- - | Roman Drahtmüller email@example.com // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
0 Talkback[s] (click to add your comment)