Bug 18611 - Unfortunate regression in "ping" security
Unfortunate regression in "ping" security
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: iputils (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Crutcher Dunnavant
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-07 13:16 EDT by Chris Evans
Modified: 2007-04-18 12:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-10 15:12:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 2000-10-07 13:16:14 EDT
[Note: I've marked this bug as "BETA team" only. That's the best I can do
to stop any old
dude finding this report]

Here's a copy of a mail I sent describing the sorry state of iputils
"ping". It needs a good
audit. Or you could just adopt OpenBSD's ping, porting across any new
features in
iputils ping.
...
Hi,

Show of hands please, who is shipping "ping" from iputils? The following
is relative to "iputils-20000418-6", e.g. RH7.0's version.

We had just about got the netkit ping secure, so hey we'd better regress
by all starting to ship iputils ping which seems to have been forked from
a somewhat less secure base.

Details

- Fails to drop privilege at startup after getting the raw socket

- Buffer overflow (not on stack) in pr_addr():
...
        static char buf[256];
...
                sprintf(buf, "%s (%s)", hp->h_name,
                        inet_ntoa(*(struct in_addr *)&addr));
...

AFAIK, with glibc, hp->h_name has MAXHOSTLEN of 1024


- Small buffer overflow of size "struct timeval" above output packet
buffer

- And another possible larger buffer overflow in the same area,
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ping/ping.c?r1=1.36&r2=1.37

- Ooh, just found a URL describing the first overflow flaw
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ping/ping.c?r1=1.3&r2=1.4

- Unreliable nul termination of buffers, e.g.
strncpy(hnamebuf, hp->h_name, sizeof(hnamebuf) - 1);
(missing explicit NULL termination)

- VERY WORRYING looking stack-based overflow
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ping/ping.c?r1=1.27&r2=1.28

- Another buffer mismanagement flaw in the same area (read off end)
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ping/ping.c?r1=1.28&r2=1.29


Bit of an embarassment, this, really.

Cheers
Chris
Comment 1 Chris Evans 2000-10-07 17:58:30 EDT
Update! Update! Read all about it..
Turns out many of these issues are already fixed in the recently released:
iputils-ss000928.tar.gz
(RH7.0 is based off iputils-ss000418.tar.gz which to be fair was the most recent
at freeze time!)

The most recent iputils still has a couple of minor overflows, though (although
they will of course yield a raw socket to an attacker rather than full blown
access!)

Patches to most recent iputils to appear..
Comment 2 Chris Evans 2000-10-09 18:24:46 EDT
An update.. a new upstream iputils package with all known ping security bugs
will probably be out soon.
I'll update this bug with its location when it's out.
Comment 3 Chris Evans 2000-10-10 15:12:32 EDT
New version of iputils with all known ping security bugs fixed:
ftp://ftp.inr.ac.ru/ip-routing/iputils-ss001010.tar.gz

Your call as to whether to do an update or not guys. I don't think any of the
bugs can lead to root compromise. However this is only due to luck. It all
depends on how the compiler lays out the static variables in the BSS. There are
a few statics that, if overwritten, could easily lead to a compromise. In the
current x86 binary, I believe things are safe.. but.. :-)

I'd be tempted to do an update. Better safe than sorry?
Comment 4 Jeff Johnson 2000-10-10 16:20:59 EDT
Fixed in iputils-20001010-1.
Comment 5 Matt Wilson 2000-10-18 11:56:49 EDT
Making this readable by everyone, as it is referenced in our errata advisory.

Note You need to log in before you can comment on or make changes to this bug.