Bug 447884 - (CVE-2008-2357) CVE-2008-2357 mtr: stack buffer overflow triggerable by long DNS name
CVE-2008-2357 mtr: stack buffer overflow triggerable by long DNS name
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=vendor-sec,reported=20080319,p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-22 06:02 EDT by Tomas Hoger
Modified: 2016-03-04 07:54 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 13:50:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-05-22 06:02:03 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2357 to the following vulnerability:

Stack-based buffer overflow in the split_redraw function in split.c in mtr before 0.73, when invoked with the -p (aka --split) option, allows remote attackers to execute arbitrary code via a crafted DNS PTR record.  NOTE: it could be argued that this is a vulnerability in the ns_name_ntop function in resolv/ns_name.c in glibc and the proper fix should be in glibc; if so, then this should not be treated as a vulnerability in mtr.

Refences:
http://www.securityfocus.com/archive/1/archive/1/492260/100/0/threaded
http://seclists.org/fulldisclosure/2008/May/0488.html
http://marc.info/?l=bugtraq&m=121129521624280&w=4
http://www.openwall.com/lists/oss-security/2008/05/20/5
ftp://ftp.bitwizard.nl/mtr/mtr-0.73.diff
http://secunia.com/advisories/30312
Comment 1 Tomas Hoger 2008-05-22 06:13:12 EDT
This issue does not affect mtr packages as shipped in Red Hat Enterprise Linux 4
and 5 and all current Fedora versions.  The problem was resolved in the patch
for other security issue -- CVE-2002-0497 -- mtr-0.XX-CVE-2002-0497.patch, which
replaces problematic sprintf with snprintf.  Version of mtr as shipped in Red
Hat Enterprise Linux 2.1 and 3 are affected.

http://cvs.fedoraproject.org/viewcvs/rpms/mtr/F-7/mtr-0.69-CVE-2002-0497.patch

This issue can only be exploited when an attacker can convince victim to use mtr
to trace path to or via the IP, for which an attacker controls PTR DNS records.
 Additionally, victim must run mtr in "split mode" by providing -p or --split
command line options.

The purpose of the split mode is to support GUI mtr front-ends, that would only
display information gathered by mtr.  However, there is probably no front-end
program using this mtr feature, so it's unlikely mtr is started in split mode
without explicit user request.
Comment 2 Tomas Hoger 2008-05-22 06:21:10 EDT
mtr in Red Hat Enterprise Linux and Fedora is not installed with setuid bit set,
so this issue can not be used for local privilege escalation on affected versions.
Comment 3 Zdenek Prikryl 2008-05-22 07:31:18 EDT
I went through versions of mtr and I confirm that only RHEL {2.1, 3} are affected.

Note You need to log in before you can comment on or make changes to this bug.