SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ntpd Vendors:   Mills, David L. et al
(Immunix Patch Available) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
SecurityTracker Alert ID:  1001260
SecurityTracker URL:  http://securitytracker.com/id/1001260
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 7 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).

The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.

When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.

Code for a demonstration exploit is contained in the source message.
Impact:   A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.
Solution:   Immunix has released a patch.
Vendor URL:  immunix.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Immunix)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 5 2001 The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server


 Source Message Contents
Date:  Fri, 6 Apr 2001 11:34:34 -0700
Subject:  Immunix OS Security update for ntp and xntp3


--Fig2xvG2VGoz8o/s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


-----------------------------------------------------------------------
	Immunix OS Security Advisory

Packages updated:	ntp and xntp3
Affected products:	Immunix OS 6.2, 7.0-beta, and 7.0
Bugs Fixed:		immunix/1539
Date:			April 6, 2001
Advisory ID:		IMNX-2001-70-013-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:

  Przemyslaw Frasunek has found a buffer overflow in the ntpd package
  (see http://www.securityfocus.com/archive/1/174011 for more details).
  The StackGuard protection in Immunix is effective at stopping this
  attack.  If the published exploit is run against the Immunix version,
  it will cause ntpd to exit with a StackGuard detection message but no
  penetration vulnerability is possible.  WireX is releasing updated
  packages to prevent the residual DoS attack.


Package names and locations:

  Precompiled binary package for Immunix 6.2 is available at:
    http://immunix.org/ImmunixOS/6.2/updates/RPMS/xntp3-5.93-14_StackGuard_2.i386.rpm

  Source package for Immunix 6.2 is available at:
    http://immunix.org/ImmunixOS/6.2/updates/SRPMS/xntp3-5.93-14_StackGuard_2.src.rpm

  Precompiled binary package for Immunix 7.0-beta and 7.0 is available at:
    http://immunix.org/ImmunixOS/7.0/updates/RPMS/ntp-4.0.99j-7_imnx_2.i386.rpm

  Source package for Immunix 7.0-beta and 7.0 is available at:
    http://immunix.org/ImmunixOS/7.0/updates/SRPMS/ntp-4.0.99j-7_imnx_2.src.rpm


md5sums of the packages:
  4a87c36da4418926d95c5a19cd913f48  xntp3-5.93-14_StackGuard_2.i386.rpm
  ca27c920f4d35c04af607f99d5186ecc  xntp3-5.93-14_StackGuard_2.src.rpm

  f252ef724b86c00669967b402b22c982  ntp-4.0.99j-7_imnx_2.i386.rpm
  b54bbe7aa77a16a0422d97cdc7cdb504  ntp-4.0.99j-7_imnx_2.src.rpm


Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html


--Fig2xvG2VGoz8o/s
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6zgw5Al5ylTeuKpURAgNgAJsGUQ32QkzTPdhRmrWVNcfkELcuTACeJheZ
Zn8leYIH9BneRlmQF3Hzkrg=
=l+Ch
-----END PGP SIGNATURE-----

--Fig2xvG2VGoz8o/s--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC