Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Nov 2001 22:08:02 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        WebSec WebSec <secure21st@hotmail.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Best security topology for FreeBSD
Message-ID:  <20011128220802.K3985@blossom.cjclark.org>
In-Reply-To: <F140NsokLQ8aZRhQdOg00016fa1@hotmail.com>; from secure21st@hotmail.com on Wed, Nov 28, 2001 at 03:48:08PM %2B0000
References:  <F140NsokLQ8aZRhQdOg00016fa1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 28, 2001 at 03:48:08PM +0000, WebSec WebSec wrote:
[snip]

> This is an ignorant response.  To "smash a stack" you need at a minimum a 
> connection to the machine.

Nope.

> The most you can do without a connection is to 
> run a DOS.  I do not see how it is possible to smash the stack by playing 
> with queuing.  Do a little reading sir or at least show how it can be done 
> in theory... we will take to the next step :)

No need for a theoretical treatment. It can be done. Here's a URL for
an exploit for the NTP overflow from earlier this year.

  http://downloads.securityfocus.com/vulnerabilities/exploits/ntpd-exp.c

Here is a piece of the inline documentation,

  /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */

  /*
   * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
   * to remote buffer overflow attack. It occurs when building response for
   * a query with large readvar argument. In almost all cases, ntpd is running
   * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver.
   *
   * Althought it's a normal buffer overflow, exploiting it is much harder.
   * Destination buffer is accidentally damaged, when attack is performed, so
   * shellcode can't be larger than approx. 70 bytes. This proof of concept code
   * uses small execve() shellcode to run /tmp/sh binary. Full remote attack
   * is possible.
   *
   * NTP is stateless UDP based protocol, so all malicious queries can be
   * spoofed.

This was a rather big deal when it broke so I wouldn't be calling
other people who _know_ you can exploit a buffer overflow with one
packet "ignorant."
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128220802.K3985>