On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the running
> xntpd process confirmed this: no exec syscalls were attempted.

[...]

> Another vindication for those (like me) that don't like to run the
> "latest and greatest" versions of any code ....

False hope, man.

xntpd 3.5f [1] has the exact same ctl_getitem() that 4.0.99k has,
with the same char buf[128] that is poked at in the exact same way.
(line 1733 of xntpd/ntp_control.c)

It's just a matter of fiddling with it until it's breakable on your
particular system.

The previously posted patch is a pretty rough way to escape, but it seems
to work just fine.

[1] Yeah, I just happened to have an old copy of this in a sources archive.

-- 
                        Erik Fichtner; Unix Ronin
                    http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself.  Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjrNRRMACgkQDf8awdbGHo330gCguSJAHx6wyUQHAPOWUzw6/77/ 9bEAn1GQW9P+w16jqlxcXNjAofokJt+M =hYkr -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]