Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Remote exploitation of network scanners?
From: Domenico De Vitto <dom () DEVITTO DEMON CO UK>
Date: Mon, 28 Aug 2000 18:20:36 +0100
Snoop RPC buffer overflow.

Very amusing, especially if you use snoop 24x7 as a kinda homegrown IDS  ;-)

Dom
PS. Oh, and yes, it's a remote root thang.

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
antirez
Sent: 27 August 2000 01:48
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Remote exploitation of network scanners?


On Fri, Aug 25, 2000 at 03:56:30PM +0800, Lincoln Yeoh wrote:

Hi people!


Hi,


I wonder if the many popular scanners out there are written securely - so
that they themselves cannot be exploited.


About hping2 I think it's not secure, since I didn't perform a good security
auditing of the code I wrote, that's old code + new code + third part code.
_Maybe_ that parsing some incoming packet an exploitable buffer overflow
can occur. Anyway the developing of hping2 will be more intense in the
next months, and I'll consider the hping2 internal security one of the
"stuff to fix".


Hypothetical scenario:
A scanner requiring remote input scans a targeted host, looking for

replies.

The targeted host replies with exceptional input causing the scanner to

run

arbitrary code (buffer overflow etc etc), probably with the privileges of
the user running that scanner.


This is true, many scanners are programs that running with the root
privileges performs a lot of data parsing. About port-scanner-like
software that needs root just to open raw sockets and to
open descriptors for the datalink layer, setuid() can be a good solution.


Note that I am not saying that the authors of such programs are writing
poor quality code, far from it, but there is a danger that some users may
be using them under inappropriate conditions for purposes they were not
designed for. After all much of the code released is "for educational
purposes only" ;).


In some context it's possible that a coder overstimates the value of
security in this kind of software. Again, about hping2, I can say
that since it was coded as a dirty-hack in order to perform some test,
I don't pay attention about security: unfortunately some line of the
first hack are still in the latest distribution.

regards,
antirez

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirez () linuxcare com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]