From karl@Codebase.mcs.net  Sun Sep  8 05:03:13 1996
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA03646
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 8 Sep 1996 05:03:13 -0700 (PDT)
Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89])
          by who.cdrom.com (8.7.5/8.6.11) with ESMTP id FAA01067
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 8 Sep 1996 05:03:12 -0700 (PDT)
Received: (from root@localhost) by Codebase.mcs.net (8.7.5/8.6.12) id HAA14432; Sun, 8 Sep 1996 07:01:56 -0500 (CDT)
Message-Id: <199609081201.HAA14432@Codebase.mcs.net>
Date: Sun, 8 Sep 1996 07:01:56 -0500 (CDT)
From: Karl <karl@Codebase.mcs.net>
Reply-To: karl@Codebase.mcs.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: Traceroute SECURITY PROBLEM -- PRIORITY 1
X-Send-Pr-Version: 3.2

>Number:         1581
>Category:       bin
>Synopsis:       Traceroute can be exploited to gain root privileges
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep  8 05:10:01 PDT 1996
>Closed-Date:    Mon Sep 9 17:53:13 PDT 1996
>Last-Modified:  Tue Nov 27 19:22:53 PST 2001
>Originator:     Karl
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
MCSNet
>Environment:

	None

>Description:

	Traceroute can be easily exploited due to lack of bounds checking
	and SUID privileges to gain root access.

>How-To-Repeat:

	Corrupt a PTR record to return more than approximately 350 bytes
	of embedded i386 NOPs followed by asm code to call "execvp("/bin/sh")".
	Root shell will follow :-)

>Fix:
	
	Diff enclosed fixes problem.  Two things are done:
	1)	strcpys replaced with strncpys specifying length
	2)	SUID privileges relinquished once socket is acquired; they
		are no longer necessary.

	PLEASE CONFIRM COMMIT OF THIS CHANGE.

Index: traceroute.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.10
diff -u -r1.10 traceroute.c
--- traceroute.c	1996/08/21 05:59:19	1.10
+++ traceroute.c	1996/09/08 11:54:43
@@ -427,7 +427,7 @@
 	to->sin_family = AF_INET;
 	to->sin_addr.s_addr = inet_addr(av[0]);
 	if (to->sin_addr.s_addr != -1) {
-		(void) strcpy(hnamebuf, av[0]);
+		(void) strncpy(hnamebuf, av[0], sizeof(hnamebuf));
 		hostname = hnamebuf;
 	} else {
 		hp = gethostbyname(av[0]);
@@ -540,7 +540,7 @@
 		}
 #endif IP_HDRINCL
 	}
-
+	setuid(getuid());
 	Fprintf(stderr, "traceroute to %s (%s)", hostname,
 		inet_ntoa(to->sin_addr));
 	if (source)
@@ -869,7 +869,7 @@
 		first = 0;
 		if (gethostname(domain, MAXHOSTNAMELEN) == 0 &&
 		    (cp = strchr(domain, '.')))
-			(void) strcpy(domain, cp + 1);
+			(void) strncpy(domain, cp + 1, sizeof(domain));
 		else
 			domain[0] = 0;
 	}
@@ -884,7 +884,7 @@
 		}
 	}
 	if (cp)
-		(void) strcpy(line, cp);
+		(void) strncpy(line, cp, sizeof(line));
 	else {
 		in.s_addr = ntohl(in.s_addr);
 #define C(x)	((x) & 0xff)
>Release-Note:
>Audit-Trail:

From: roberto@keltia.freenix.fr (Ollivier Robert)
To: karl@Codebase.mcs.net
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1
Date: Sun, 8 Sep 1996 15:33:16 +0200

 According to Karl:
 > 	Diff enclosed fixes problem.  Two things are done:
 > 	1)	strcpys replaced with strncpys specifying length
 > 	2)	SUID privileges relinquished once socket is acquired; they
 > 		are no longer necessary.
 
 While I agree with the strcpy -> strncpy changes, you should note that
 priviledges are relinquished for a long time...
 
 #ifndef lint
 static char *rcsid =
     "@(#)$Header: /spare/FreeBSD-current/src/usr.sbin/traceroute/traceroute.c,v 
 1.10 1996/08/21 05:59:19 peter Exp $ (LBL)";
 #endif
 
 [...line 299...]
         /*
          * Do the setuid-required stuff first, then lose priveleges ASAP.
          * Do error checking for these two calls where they appeared in
          * the original code.
          */
         pe = getprotobyname("icmp");
         if (pe) {
                 if ((s = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0)
                         sockerrno = errno;
                 else if ((sndsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
                         sockerrno = errno;
         }
 
         setuid(getuid());
 [...]
 
 So the attack can't be used for getting root priv.
 -- 
 Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
 FreeBSD keltia.freenix.fr 2.2-CURRENT #21: Sun Sep  8 14:35:00 MET DST 1996

From: Bill Fenner <fenner@parc.xerox.com>
To: karl@codebase.mcs.net
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1 
Date: Mon, 9 Sep 1996 16:45:52 PDT

 On August 13, I added setuid(getuid()) at the earliest place possible
 in traceroute (even before parsing args), so even though your additional
 changes should be made, -current's traceroute is already safe.
 
   Bill
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Mon Sep 9 17:53:13 PDT 1996 
State-Changed-Why:  
The setuid(getuid()) was added in rev 1.7 on August 13; the 
strncpy fixes went in to rev 1.11. 
>Unformatted:
