On Thu, Apr 05, 2001 at 03:30:42PM +0100, Matt Collins wrote:
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
> >
> > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> > the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
> >
> > More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> > caused it to seg. fault and core. No time to double-check if that is actually
> > exploitable at this moment. How many NTP distributions are based off of the
> > vulnerable code? With the small payload, gaining access might be hard, but
> > the potential for DoS looks pretty easy.
>
> We've taken a peek at getting sparc shellcode working with this. Getting
> it in below the 70 byte buffer size is tricky.
>
> Does anybody out there have working shellcode for this that can do *anything*
> to the state of the system even if it doesnt lead to full sploit? (beyond
> making ntp core of course ;) )
>
Yep. I am still testing the piece with modified (former) 11 byte x86 shellcode
from S. Krahmer. By executing /bin/sh -c <stuff> you could do quite a bit of
things there. :))
And an additional notice (didn't see that it was mentioned on the list yet), It
looks like at least Solaris 2.7/sparc xntpd daemon is vulnerable as well, a
quick test shows:
# uname -a
SunOS sunbox 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
..
#/usr/lib/inet/xntpd
...
# tail /var/adm/messages
Apr 6 12:18:18 sunbox xntpd[28711]: xntpd version=3.4y (beta multicast); Fri Aug 23
19:54:40 PDT 1996 (2)
Apr 6 12:18:18 sunbox xntpd[28711]: tickadj = 625, tick = 10000, tvu_maxslew = 61875
..
# gdb /usr/lib/inetd/xntpd `ps -ef | grep xntpd | grep -v grep | awk '{ print $2}'`
GNU gdb 4.18
..
Symbols already loaded for /usr/lib/libmp.so.2
Symbols already loaded for /usr/lib/libaio.so.1
Symbols already loaded for /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
0xff21758c in _sigsuspend () from /usr/lib/libc.so.1
(gdb)cont
Continuing.
Program received signal SIGBUS, Bus error.
0x1df6c in ?? ()
(gdb) info reg
g0 0x0 0
g1 0x65000 413696
..
l0 0xff237ee8 -14450968
l1 0x41414145 1094795589
l2 0x0 0
...
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x7 7
i3 0x56b84 355204
i4 0xc 12
i5 0x41414141 1094795585
fp 0xffbefc70 -4260752
i7 0x19244 102980
...
blah..
Looks like that with a bit of tuning we could sploit it here as well..
-Fyodor