LBNL traceroute 存在漏洞发布时间:2000-10-10 更新时间:2000-10-10 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 LBL traceroute 1.4a5详细描述 traceroute在系统中由于要使用原始套接口而以ROOT的身份安装。其中存在 一个漏洞是关于释放指针指向未分配的内存区。 当traceroute执行带参数"-g x -g x"的时候,函数"savestr()"调用2次, 函数"savestr()"类似于strdup()做法但没有额外的malloc()调用并用-g参数来 解析主机名或者点点的IP地址。它使用一预分配的内存在代替自己分配内存,在 第一个"-g"解析后并savestr()调用,指针指向由savestr()使用的区域是通过 free()函数没有被分配的那区域。然后在当下一个"-g"参数被截获的时候,象 第一次一样,free()调用指针所指向的未分配旧缓冲的数据开始端,当free()在 指针被传递的时候还不能找到合法的malloc头,traceroute崩溃。 测试代码 可以下载如下测试代码: http://www.securityfocus.com/data/vulnerabilities/exploits/traceroute-exp.txt http://www.securityfocus.com/data/vulnerabilities/exploits/tracert-exp2.c 解决方案 下载升级程序: Mandrake: You can download the updates directly from: ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates Linux-Mandrake 6.0: 1a4fa31d17673a14a19cc314109fea6f 6.0/RPMS/traceroute-1.4a5-12mdk.i586.rpm fb516b9873feb5603e50a50575d4044f 6.0/SRPMS/traceroute-1.4a5-12mdk.src.rpm Linux-Mandrake 6.1: ff46d392fa729585f04ac4e00e9c55aa 6.1/RPMS/traceroute-1.4a5-12mdk.i586.rpm fb516b9873feb5603e50a50575d4044f 6.1/SRPMS/traceroute-1.4a5-12mdk.src.rpm Linux-Mandrake 7.0: 016b778a737cc26eab3b6c59757e135c 7.0/RPMS/traceroute-1.4a5-12mdk.i586.rpm fb516b9873feb5603e50a50575d4044f 7.0/SRPMS/traceroute-1.4a5-12mdk.src.rpm Linux-Mandrake 7.1: 956f739b513e353683f7a923ea716d06 7.1/RPMS/traceroute-1.4a5-12mdk.i586.rpm fb516b9873feb5603e50a50575d4044f 7.1/SRPMS/traceroute-1.4a5-12mdk.src.rpm Connectiva: DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/traceroute-1.4a7-2cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/traceroute-1.4a7-2cl.i386.rpm Caldera: OpenLinux Desktop 2.3 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS Verification 10a0865014f9a7adde15b1273a613672 RPMS/traceroute-1.4a5-9.i386.rpm 9bccc641518d1e2726b61911913006ba SRPMS/traceroute-1.4a5-9.src.rpm OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS Verification 8f65446f8da688c94d7a1090579b987c RPMS/traceroute-1.4a5-9.i386.rpm 9bccc641518d1e2726b61911913006ba SRPMS/traceroute-1.4a5-9.src.rpm OpenLinux eDesktop 2.4 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS Verification 45cd9ac95771a444ace0e2275789ba11 RPMS/traceroute-1.4a5-9.i386.rpm 9bccc641518d1e2726b61911913006ba SRPMS/traceroute-1.4a5-9.src.rpm Debian: Apt: deb http://http.us.debian.org/debian dists/proposed-updates/ Http: http://http.us.debian.org/debian/dists/proposed-updates fa0c426fa84bf54ec33093bae90c1fdf traceroute_1.4a5-3.diff.gz 4bd7bc9ec1894c75e7ccba51e6a91cc6 traceroute_1.4a5-3.dsc 6b3f20ecb08276c15715ae54ef8be0c7 traceroute_1.4a5-3_alpha.deb feba02e20848bdfafa6bf7dd9c594eba traceroute_1.4a5-3_i386.deb fdc5a6ed3cd97067c4b7e1ddf7945287 traceroute_1.4a5-3_m68k.deb Trustix Secure Linux 1.1 (1.0 users should upgrade to 1.1): The new packages can be found at: http://www.trustix.net/download/Trustix/updates/1.1/RPMS/ or: ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ Packages: * traceroute-1.4a5-18tr.i586.rpm - Fixes local exploit recently discussed on bugtraq. 相关信息 |
