Przemyslaw Frasunek wrote: > Few days ago, a new version of mtr has been released. Authors wrote Ah. That's me..... :-) As usual, I would have preferred to have heard from you before posting to BugTraq. > in CHANGELOG, that they fixed a non-exploitable buffer overflow. > In fact, this vulnerability is very easly exploitable and allows > attacker to gain access to raw socket, which makes possible ip spoofing > and other malicious network activity. Have you read the SECURITY document that comes with mtr? It explains exactly that if you break mtr security, you will get access to the raw socket. If you (or your distribution) install mtr setuid, then that's the risk you take. The mtr distribution doesn't install mtr setuid. Now, I must confess that I do it myself too. But I know the risks I'm taking (none: All people who have access to the setuid binary also have the root password). I'm afraid that of course distributions will have to make the decision for their users and will chose for 'setuid'. mtr is indeed kind of useless without that. By the way, if you link mtr with gtk and/or curses, then I'm convinced that you'll be able to find security bugs in those libraries which allow you to do the same thing.... Anyway, from a security viewpoint, having access to a raw socket is something that requires root access to get, so normally that will actually GIVE you root access once you have it. As bugs in the libraries that mtr links to are almost certain, mtr has root leaks as soon as it's installed setuid. I'm glad that the fixes predate the eploits again. :-) Roger. -- ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 ** *-- BitWizard writes Linux device drivers for any device you may have! --* * There are old pilots, and there are bold pilots. * There are also old, bald pilots.
