Description of Problem:
Possible traceroute6 security flaw, demo follows
n.b. you need the ipv6 module loaded (luckily?)
[chris@localhost chris]$ /usr/sbin/traceroute6 ::1 8
traceroute to ::1 (::1) from ::1, 30 hops max, 8 byte packets
Steps to Reproduce:
Looking at the code, this looks to be a heap mismanagement
flaw - data is written over the end of a malloc chunk. May
or may not be exploitable.
Note that traceroute6 drops root privs and just retains a
raw socket, so severity is limited.
I will notify vendor-sec shortly and cc: Alexey (iputils
Note, there might be other issues, I caught this via a
quick sanity scan since traceroute6 is a new suid-root
binary in RH7.2beta3
This defect is considered SHOULD-FIX for Fairfax
Fixed in iputils-20001110-6. Soon to appear on rawhide.
Read ya, Phil