[20096] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Mon Apr 9 04:13:48 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010407092643.Q856@riget.scene.pl>
Date: Sat, 7 Apr 2001 09:26:43 +0200
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
X-To: Stephen Clouse <stephenc@theiqgroup.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010405225645.A280@owns.warpcore.org>; from
stephenc@theiqgroup.com on Thu, Apr 05, 2001 at 10:56:45PM -0500
On Thu, Apr 05, 2001 at 10:56:45PM -0500, Stephen Clouse wrote:
> Having no effect on ntp-4.0.99k compiled from official source on Slackware
> 7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
> mode didn't change).
As I said, exploiting this overflow isn't so easy -- offset and align
values vary from platform to platform. Exploit was tested only
on bare RedHat 7.0 and FreeBSD 4.2-STABLE compiled with -O6 -fomit-frame-pointer
-march=pentiumpro.
Did your ntpd segfaulted after running an exploit?
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
