Multiple Vendor traceroute Large waittime DoS

1999-02-13T01:38:11
ID OSVDB:7574
Type osvdb
Reporter Alfonso De Gregorio(dira@speedcom.it)
Modified 1999-02-13T01:38:11

Description

Vulnerability Description

The traceroute program in NetBSD, Linux, and Digital Unix contains a flaw that may allow a remote denial of service. The issue is triggered when the waittime option, -w, is passed to traceroute with a large value. This will cause the waittime to effectively be set to 0, causing a flood of packets which will result in loss of availability for the targeted machine.

Technical Description

The waittime argument in traceroute is not correctly sanity checked. When a very large value is passed to waittime (the limit value is never greater than (1<<31)-1 or ((1<<(sizeof(int)*8)-1)-1) on tested systems where the size of an int is 4), it can cause select(2) to return immediately after sending out a packet instead of waiting for the reply. Since traceroute also allows non-root users to set the source address for these packets, this allows a flood of spoofed traffic to be generated.

Solution Description

Upgrade to NetBSD version 1.3.4 or higher, or the appropriate version from your vendor, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch.

Short Description

The traceroute program in NetBSD, Linux, and Digital Unix contains a flaw that may allow a remote denial of service. The issue is triggered when the waittime option, -w, is passed to traceroute with a large value. This will cause the waittime to effectively be set to 0, causing a flood of packets which will result in loss of availability for the targeted machine.

References:

Vendor Specific Advisory URL Related OSVDB ID: 7575 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999_1/0686.html ISS X-Force ID: 6141 CVE-2000-0314