CVE-2005-2071

A local attacker triggers the `-g` overflow by passing 10 or more `-g` arguments followed by a crafted IP address that encodes a return address and shellcode. The IP address bytes overwrite the saved return address on the stack, and the shellcode is placed in one of the `-g` arguments. For the `-s` vulnerability, a malformed source address with a trailing dot (e.g. `127.0.0.1.`) causes heap corruption during `freeaddrinfo()`, which can be leveraged for arbitrary code execution. Both vectors require only local shell access and no special privileges beyond those already held by the `traceroute` binary [ref_id=1].

The vulnerability resides in `/usr/sbin/traceroute` on Solaris 10 x86 systems. The `-g` (gateway) argument handler suffers from a buffer overflow when 10 or more `-g` parameters are supplied, overwriting the return address with the IP address argument. The `-s` (source) argument handler causes heap corruption when given a malformed value with a trailing dot, leading to a crash in `freeaddrinfo()` called from `main()` [ref_id=1].

The advisory does not include a patch or vendor fix. The researcher notes the vulnerability is specific to Solaris 10 and does not affect Solaris 8, 9, or OpenSolaris, suggesting the bug was introduced in the Solaris 10 codebase. No remediation guidance is provided in the reference write-up beyond the implicit observation that the flaw is absent in earlier releases [ref_id=1].

1. Supply 10 or more `-g` arguments with a crafted IP address as the target: `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8 -g 9 -g 10 127.0.0.1` — this causes a segmentation fault with the return address overwritten by `0x0100007f` (the IP bytes). 2. For code execution, use a Perl script that encodes a return address and shellcode into the IP address and a `-g` argument, as demonstrated in the PoC [ref_id=1]. 3. For the `-s` heap corruption, pass a malformed source address with a trailing dot: e.g. `/usr/sbin/traceroute -s 127.0.0.1. 127.0.0.1` [ref_id=1].