|
Mac OSX Ping and Traceroute Local Buffer Overflow |
|
|
|
|
Saturday, 27 August 2005 |
Summary
Ping and Traceroute in Mac OS X are vulnerable to buffer overflow that allow attackers to execute local arbitrary code with root privileges.
Credit:
The information has been provided by Suresec.
The original article can be found at: http://www.suresec.org/advisories/adv5.pdf
Details
Vulnerable Systems:
* Mac OS X version 10.4.2 and prior
CVE Information:
CAN-2005-2514
CAN-2005-2521
The ping and traceroute programs used in Mac OS X are vulnerable to a buffer overflow when resolving a hostname. In the case of ping a hostname gets copied into a static buffer which is 80 bytes long. For traceroute the hostname gets copied into a static buffer which is 50 bytes long.
Vulnerable Code:
ping
char * pr_addr(u_long l) {
struct hostent *hp;
static char buf[80];
if ((options & F_NUMERIC) ||
!(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
(void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
else
(void)sprintf(buf, "%s (%s)", hp->h_name,
inet_ntoa(*(struct in_addr *)&l));
return(buf);
}
traceroute
char * inetname(struct in_addr in) {
register char *cp;
static char line[50];
struct hostent *hp;
static int first = 1;
...
if (first && !nflag) {
first = 0;
...
}
cp = 0;
if (!nflag && in.s_addr != INADDR_ANY) {
hp = gethostbyaddr((char *)&in, sizeof (in), AF_INET);
if (hp) {
...
cp = hp->h_name;
}
}
if (cp)
(void) strcpy(line, cp);
Vendor Status:
The vendor has released a fix: 2005-007
|