Date:        1/8/98 6:16:06 PM
From:        Christopher Masto <chris@NETMONGER.NET>
Subject:     Re: riptrace.c
To:          ("<BUGTRAQ@NETSPACE.ORG>"@LOCAL)

On Thu, Jan 08, 1998 at 03:19:03PM -0600, Aleph One wrote:
> More goodies from rootshell.com.
>
> http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/riptrace.c
>
> /*
>  * BSD 4.4 based routed trace file exploit
>  *
>  * (C) 1997 Rootshell [ http://www.rootshell.com/ ]
>  *
>  * <info@rootshell.com>
>  *
>  * routed has the ability for a packet to be sent to the daemon that will
>  * turn on debug mode.  The packet is able to specify the file which is
>  * later opened without any checks being placed on that file open.
>  *
>  * Result: You can append to any file on the filesystem.
>  *
>  * The following syscall is made AS ROOT.
>  *
>  * ftrace = fopen(file, "a");
>  *
>  * This is obviously a LARGE problem.

A cursory examination of the FreeBSD routed sources indicates...

input.c handles the command this way:


        case RIPCMD_TRACEON:
        case RIPCMD_TRACEOFF:
                /* verify message came from a privileged port */
                if (ntohs(from->sin_port) > IPPORT_RESERVED) {
                        msglog("trace command from untrusted port on %s",
                               naddr_ntoa(FROM_NADDR));
                        return;
                }
                if (aifp == 0) {
                        msglog("trace command from unknown router %s",
                               naddr_ntoa(FROM_NADDR));
                        return;
                }
                if (rip->rip_cmd == RIPCMD_TRACEON) {
                        rip->rip_tracefile[cc-4] = '\0';
                        set_tracefile((char*)rip->rip_tracefile,
                                      "trace command: %s\n", 0);
                } else {
                        trace_off("tracing turned off by %s\n",
                                  naddr_ntoa(FROM_NADDR));
                }
                return;

trace.c then has these checks in the set_tracefile function:

                /* Allow the file specified with "-T file" to be reopened,
                 * but require all other names specified over the net to
                 * match the official path.  The path can specify a directory
                 * in which the file is to be created.
                 */
                if (strcmp(filename, inittracename)
#ifdef _PATH_TRACE
                    && (strncmp(filename, _PATH_TRACE, sizeof(_PATH_TRACE)-1)
                        || strstr(filename,"../")
                        || 0 > stat(_PATH_TRACE, &stbuf))
#endif
                    ) {
                        msglog("wrong trace file \"%s\"", filename);
                        return;
                }

                /* If the new tracefile exists, it must be a regular file.
                 */
                if (stat(filename, &stbuf) >= 0
                    && (stbuf.st_mode & S_IFMT) != S_IFREG) {
                        msglog("wrong type (%#x) of trace file \"%s\"",
                               stbuf.st_mode, filename);
                        return;
                }
                fn = filename;
        }
        if (fn != 0) {
                n_ftrace = fopen(fn, "a");
                ...


This version seems to have come from SGI at some point.
--
= Christopher Masto        = chris@netmonger.net = http://www.netmonger.net/  =
= NetMonger Communications = finger for  PGP key = $19.95/mo unlimited access =
= Director of Operations   =   (516)  221-6664   = mailto:info@netmonger.net  =

    "... who'd want a lossy TIFF?"  -- Kibo