Bug 447884 (CVE-2008-2357) - CVE-2008-2357 mtr: stack buffer overflow triggerable by long DNS name
Summary: CVE-2008-2357 mtr: stack buffer overflow triggerable by long DNS name
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2008-2357
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-22 10:02 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-23 18:50:59 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-05-22 10:02:03 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2357 to the following vulnerability:

Stack-based buffer overflow in the split_redraw function in split.c in mtr before 0.73, when invoked with the -p (aka --split) option, allows remote attackers to execute arbitrary code via a crafted DNS PTR record.  NOTE: it could be argued that this is a vulnerability in the ns_name_ntop function in resolv/ns_name.c in glibc and the proper fix should be in glibc; if so, then this should not be treated as a vulnerability in mtr.

Refences:
http://www.securityfocus.com/archive/1/archive/1/492260/100/0/threaded
http://seclists.org/fulldisclosure/2008/May/0488.html
http://marc.info/?l=bugtraq&m=121129521624280&w=4
http://www.openwall.com/lists/oss-security/2008/05/20/5
ftp://ftp.bitwizard.nl/mtr/mtr-0.73.diff
http://secunia.com/advisories/30312

Comment 1 Tomas Hoger 2008-05-22 10:13:12 UTC
This issue does not affect mtr packages as shipped in Red Hat Enterprise Linux 4
and 5 and all current Fedora versions.  The problem was resolved in the patch
for other security issue -- CVE-2002-0497 -- mtr-0.XX-CVE-2002-0497.patch, which
replaces problematic sprintf with snprintf.  Version of mtr as shipped in Red
Hat Enterprise Linux 2.1 and 3 are affected.

http://cvs.fedoraproject.org/viewcvs/rpms/mtr/F-7/mtr-0.69-CVE-2002-0497.patch

This issue can only be exploited when an attacker can convince victim to use mtr
to trace path to or via the IP, for which an attacker controls PTR DNS records.
 Additionally, victim must run mtr in "split mode" by providing -p or --split
command line options.

The purpose of the split mode is to support GUI mtr front-ends, that would only
display information gathered by mtr.  However, there is probably no front-end
program using this mtr feature, so it's unlikely mtr is started in split mode
without explicit user request.

Comment 2 Tomas Hoger 2008-05-22 10:21:10 UTC
mtr in Red Hat Enterprise Linux and Fedora is not installed with setuid bit set,
so this issue can not be used for local privilege escalation on affected versions.

Comment 3 Zdenek Prikryl 2008-05-22 11:31:18 UTC
I went through versions of mtr and I confirm that only RHEL {2.1, 3} are affected.


Note You need to log in before you can comment on or make changes to this bug.