On Wed, Nov 28, 2001 at 03:48:08PM +0000, WebSec WebSec wrote:
[snip]

> This is an ignorant response. To "smash a stack" you need at a minimum a
> connection to the machine.

Nope.

> The most you can do without a connection is to
> run a DOS. I do not see how it is possible to smash the stack by playing
> with queuing. Do a little reading sir or at least show how it can be done
> in theory... we will take to the next step :)

No need for a theoretical treatment. It can be done. Here's a URL for
an exploit for the NTP overflow from earlier this year.

  http://downloads.securityfocus.com/vulnerabilities/exploits/ntpd-exp.c

Here is a piece of the inline documentation,

  /* ntpd remote root exploit / babcia padlina ltd. <venglinfreebsd.lublin.pl> */

  /*
   * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
   * to remote buffer overflow attack. It occurs when building response for
   * a query with large readvar argument. In almost all cases, ntpd is running
   * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver.
   *
   * Althought it's a normal buffer overflow, exploiting it is much harder.
   * Destination buffer is accidentally damaged, when attack is performed, so
   * shellcode can't be larger than approx. 70 bytes. This proof of concept code
   * uses small execve() shellcode to run /tmp/sh binary. Full remote attack
   * is possible.
   *
   * NTP is stateless UDP based protocol, so all malicious queries can be
   * spoofed.

This was a rather big deal when it broke so I wouldn't be calling
other people who _know_ you can exploit a buffer overflow with one
packet "ignorant."

-- 
Crist J. Clark                     |     cjclarkalum.mit.edu
                                   |     cjclarkjhu.edu
http://people.freebsd.org/~cjc/    |     cjcfreebsd.org
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]