Multiple Vendor mtr Vulnerability
BID:1038
Info
Multiple Vendor mtr Vulnerability
| Bugtraq ID: | 1038 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 03 2000 12:00AM |
| Updated: | Mar 03 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on March 3, 2000 by Viktor Fougstedt <[email protected]> |
| Vulnerable: |
Turbolinux Turbolinux 6.0.2 Turbolinux Turbolinux 4.4 Turbolinux Turbolinux 4.2 Turbolinux Turbolinux 3.5 b2 Matt Kimball and Roger Wolff mtr 0.41 Matt Kimball and Roger Wolff mtr 0.28 |
| Not Vulnerable: |
Matt Kimball and Roger Wolff mtr 0.42 |
Discussion
Multiple Vendor mtr Vulnerability
A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will eliminate this potential problem.
It has been suggested that most Linux distributions which include mtr utilize version 0.28. This version is vulnerable. Please consult your distribution website for more information.
A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will eliminate this potential problem.
It has been suggested that most Linux distributions which include mtr utilize version 0.28. This version is vulnerable. Please consult your distribution website for more information.
Exploit / POC
Solution / Fix
Multiple Vendor mtr Vulnerability
Solution:
Users of mtr should upgrade to version mtr-0.42 or later. An interim solution may be to remove the setuid bit. This will prevent non-root users from being able to gain any root privileges, although it will affect their use of mtr.
TurboLinux has issued a new package to fix this problem in versions 6.0.2 and prior.
Solution:
Users of mtr should upgrade to version mtr-0.42 or later. An interim solution may be to remove the setuid bit. This will prevent non-root users from being able to gain any root privileges, although it will affect their use of mtr.
TurboLinux has issued a new package to fix this problem in versions 6.0.2 and prior.
References
Multiple Vendor mtr Vulnerability
References:
References: