From owner-freebsd-security Wed Nov 28 22: 8:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 9590B37B423 for ; Wed, 28 Nov 2001 22:08:11 -0800 (PST) Received: from dialup-209.247.138.241.dial1.sanjose1.level3.net ([209.247.138.241] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 169KMi-0007aJ-00; Wed, 28 Nov 2001 22:08:10 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAT683J06441; Wed, 28 Nov 2001 22:08:03 -0800 (PST) (envelope-from cjc) Date: Wed, 28 Nov 2001 22:08:02 -0800 From: "Crist J. Clark" To: WebSec WebSec Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011128220802.K3985@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from secure21st@hotmail.com on Wed, Nov 28, 2001 at 03:48:08PM +0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 28, 2001 at 03:48:08PM +0000, WebSec WebSec wrote: [snip] > This is an ignorant response. To "smash a stack" you need at a minimum a > connection to the machine. Nope. > The most you can do without a connection is to > run a DOS. I do not see how it is possible to smash the stack by playing > with queuing. Do a little reading sir or at least show how it can be done > in theory... we will take to the next step :) No need for a theoretical treatment. It can be done. Here's a URL for an exploit for the NTP overflow from earlier this year. http://downloads.securityfocus.com/vulnerabilities/exploits/ntpd-exp.c Here is a piece of the inline documentation, /* ntpd remote root exploit / babcia padlina ltd. */ /* * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable * to remote buffer overflow attack. It occurs when building response for * a query with large readvar argument. In almost all cases, ntpd is running * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver. * * Althought it's a normal buffer overflow, exploiting it is much harder. * Destination buffer is accidentally damaged, when attack is performed, so * shellcode can't be larger than approx. 70 bytes. This proof of concept code * uses small execve() shellcode to run /tmp/sh binary. Full remote attack * is possible. * * NTP is stateless UDP based protocol, so all malicious queries can be * spoofed. This was a rather big deal when it broke so I wouldn't be calling other people who _know_ you can exploit a buffer overflow with one packet "ignorant." -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message