[20066] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Erik Fichtner)
Fri Apr 6 15:43:36 2001
Mail-Followup-To: Durval Menezes <durval@TMP.COM.BR>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="wiiWofWi8Et/oezL"
Content-Disposition: inline
Message-ID: <20010406002453.T1715@obfuscation.org>
Date: Fri, 6 Apr 2001 00:24:53 -0400
Reply-To: techs@obfuscation.org
From: Erik Fichtner <techs@obfuscation.org>
X-To: Durval Menezes <durval@TMP.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010405085243.C31459@tmp.com.br>; from durval@TMP.COM.BR on
Thu, Apr 05, 2001 at 08:52:43AM -0300
--wiiWofWi8Et/oezL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Red=
hat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the runn=
ing
> xntpd process confirmed this: no exec syscalls were attempted.
[...]
> Another vindication for those (like me) that don't like to run the
> "latest and greatest" versions of any code ....
False hope, man.=20
xntpd 3.5f [1] has the exact same ctl_getitem() that 4.0.99k has,=20
with the same char buf[128] that is poked at in the exact same way.
(line 1733 of xntpd/ntp_control.c)=20
It's just a matter of fiddling with it until it's breakable on your=20
particular system.
The previously posted patch is a pretty rough way to escape, but it seems
to work just fine.
[1] Yeah, I just happened to have an old copy of this in a sources archive.
--=20
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
--wiiWofWi8Et/oezL
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrNRRMACgkQDf8awdbGHo330gCguSJAHx6wyUQHAPOWUzw6/77/
9bEAn1GQW9P+w16jqlxcXNjAofokJt+M
=hYkr
-----END PGP SIGNATURE-----
--wiiWofWi8Et/oezL--
