[VulnWatch] SRT2003-TURKEY-DAY - *novelty* - detecttr.c Trace Route detection vulnerability

From: KF (dotslash_at_snosoft.com)
Date: 11/27/03

  • Next message: Bugtraq Security Systems: "[VulnWatch] Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)"
    Date: Wed, 26 Nov 2003 21:45:25 -0500
    To: vulnwatch@vulnwatch.org

    *gobble* *gobble*.



    Secure Network Operations, Inc. http://www.secnetops.com/research
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    To learn more about our company, products and services or to request a
    demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
    call us at: 978-263-3829

    Quick Summary:
    Advisory Number : SRT2003-TURKEY-DAY *Gobble* *Gobble*
    Product : detecttr.c
    Version : modified on 11.07.97
    Vendor : baldor - http://phrack.org/show.php?p=51&a=3
    Class : Remote
    Criticality : Low
    Operating System(s) : Linux, FreeBSD, and other POSIX-systems

    The full technical details of this vulnerability can be found at:

    Basic Explanation
    High Level Description : detecttr has format strings issues.
    What to do : properly format the syslog call and recompile.

    Basic Technical Details
    Proof Of Concept Status : SNO has proof of concept.

    Low Level Description : Phrack Magazine Volume 7, Issue 51 which was
    released on September 01, 1997 contained an article titled "Tools for
    (paranoid ?) linux users" by an author known as baldor. This article was
    featured as part of the "Line Noise" located in section 0x04 from article
    03 of 17. In this article the author introduces a program for detecting
    traceroute activity. You can find this program in a variety of places
    including security archives, unix tool libraries, and search engines.

    The program in question is detecttr.c and it contains a remotely
    exploitable format strings issue. I have not yet decided if this was a
    deliberately placed backdoor or if it was a simple coding mistake.

    Either way...line 140 of detecttr.c is the problem child which leads to
    potential exploitation. DNS libraries during the time the article was
    written may have been ripe for easy exploitation of this issue. Passing
    a hostname directly to syslog() without a format specifier is a bad idea
    in most cases.

    Work Around : Apply the below code change.

    change syslog(LOG_NOTICE , buf);
    to syslog(LOG_NOTICE , "%s" , buf);

    Bugtraq URL : To be assigned.
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories but can be obtained under contract.. Contact our sales
    department at sales@secnetops.com for further information on how to
    obtain proof of concept code.

    Secure Network Operations, Inc. || http://www.secnetops.com
    "Embracing the future of technology, protecting you."


  • Next message: Bugtraq Security Systems: "[VulnWatch] Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)"

    Relevant Pages