(Slackware Releases Fix) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
|
|
SecurityTracker Alert ID: 1001269 |
|
SecurityTracker URL: http://securitytracker.com/id/1001269
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 9 2001
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).
The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.
When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.
Code for a demonstration exploit is contained in the source message.
|
Impact:
A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.
|
Solution:
Slackware has released a fix. See the source message for details.
|
Vendor URL: slackware.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Slackware)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sun, 8 Apr 2001 16:50:03 -0700
Subject: [slackware-security] buffer overflow fix for NTP
|
The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise. Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.
The updated package available for Slackware 7.1 is a patched version of
xntp3. The -current tree has been upgraded to ntp4, which also fixes the
problem. If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.
The updates available are:
FOR SLACKWARE 7.1:
================================
xntp3-5.93e AVAILABLE (xntp.tgz)
================================
Patched xntp3-5.93e against recently reported buffer overflow problem.
All sites running xntp from Slackware 7.1 should either upgrade to this
package or ensure that their /etc/ntp.conf does not allow connections
from untrusted hosts. To deny people access to your time daemon (not a
bad idea anyway if you're only running ntp to keep your own clock
updated) use this in /etc/ntp.conf:
# Don't serve time or stats to anyone else
restrict default ignore
The buffer overflow problem can be fixed by upgrading to this package:
---------------------------------------------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz
For verification purposes, we provide the following checksums:
-------------------------------------------------------------
16-bit "sum" checksum:
39955 509 xntp.tgz
128-bit MD5 message digest:
aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz
Installation instructions for the xntp.tgz package:
--------------------------------------------------
Make sure you are not running xntpd on your system. This command
should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using
upgradepkg:
upgradepkg xntp.tgz
Then you can restart the daemon:
/usr/sbin/xntpd
FOR SLACKWARE -CURRENT:
==================================
ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
==================================
This package replaces the xntp.tgz package (which contained xntp3-5.93e).
The older version (and all versions prior to ntp-4.0.99k23, which was
released yesterday) contain a buffer overflow bug which could lead to a
root compromise on sites offering ntp service.
The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
-------------------------------------------------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz
For verification purposes, we provide the following checksums:
-------------------------------------------------------------
16-bit "sum" checksum:
12988 1167 ntp4.tgz
128-bit MD5 message digest:
8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz
Installation instructions for the ntp4.tgz package:
--------------------------------------------------
Make sure you are not running xntpd on your system. This command
should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using
upgradepkg:
upgradepkg xntp%ntp4
Then you can restart the daemon:
/usr/sbin/ntpd
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
|
|
