Bug 447884 (CVE-2008-2357)

Summary: CVE-2008-2357 mtr: stack buffer overflow triggerable by long DNS name
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2357
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 18:50:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-05-22 10:02:03 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2357 to the following vulnerability:

Stack-based buffer overflow in the split_redraw function in split.c in mtr before 0.73, when invoked with the -p (aka --split) option, allows remote attackers to execute arbitrary code via a crafted DNS PTR record.  NOTE: it could be argued that this is a vulnerability in the ns_name_ntop function in resolv/ns_name.c in glibc and the proper fix should be in glibc; if so, then this should not be treated as a vulnerability in mtr.

Refences:
http://www.securityfocus.com/archive/1/archive/1/492260/100/0/threaded
http://seclists.org/fulldisclosure/2008/May/0488.html
http://marc.info/?l=bugtraq&m=121129521624280&w=4
http://www.openwall.com/lists/oss-security/2008/05/20/5
ftp://ftp.bitwizard.nl/mtr/mtr-0.73.diff
http://secunia.com/advisories/30312
Comment 1 Tomas Hoger 2008-05-22 10:13:12 UTC 
This issue does not affect mtr packages as shipped in Red Hat Enterprise Linux 4
and 5 and all current Fedora versions.  The problem was resolved in the patch
for other security issue -- CVE-2002-0497 -- mtr-0.XX-CVE-2002-0497.patch, which
replaces problematic sprintf with snprintf.  Version of mtr as shipped in Red
Hat Enterprise Linux 2.1 and 3 are affected.

http://cvs.fedoraproject.org/viewcvs/rpms/mtr/F-7/mtr-0.69-CVE-2002-0497.patch

This issue can only be exploited when an attacker can convince victim to use mtr
to trace path to or via the IP, for which an attacker controls PTR DNS records.
 Additionally, victim must run mtr in "split mode" by providing -p or --split
command line options.

The purpose of the split mode is to support GUI mtr front-ends, that would only
display information gathered by mtr.  However, there is probably no front-end
program using this mtr feature, so it's unlikely mtr is started in split mode
without explicit user request.
Comment 2 Tomas Hoger 2008-05-22 10:21:10 UTC 
mtr in Red Hat Enterprise Linux and Fedora is not installed with setuid bit set,
so this issue can not be used for local privilege escalation on affected versions.
Comment 3 Zdenek Prikryl 2008-05-22 11:31:18 UTC 
I went through versions of mtr and I confirm that only RHEL {2.1, 3} are affected.