On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the running
> xntpd process confirmed this: no exec syscalls were attempted.
[...]
> Another vindication for those (like me) that don't like to run the
> "latest and greatest" versions of any code ....
False hope, man.
xntpd 3.5f [1] has the exact same ctl_getitem() that 4.0.99k has,
with the same char buf[128] that is poked at in the exact same way.
(line 1733 of xntpd/ntp_control.c)
It's just a matter of fiddling with it until it's breakable on your
particular system.
The previously posted patch is a pretty rough way to escape, but it seems
to work just fine.
[1] Yeah, I just happened to have an old copy of this in a sources archive.
--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
PGP signature
