SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ntpd Vendors:   Mills, David L. et al
(SCO Releases Fix) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
SecurityTracker Alert ID:  1001300
SecurityTracker URL:  http://securitytracker.com/id/1001300
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 12 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).

The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.

When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.

Code for a demonstration exploit is contained in the source message.
Impact:   A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.
Solution:   SCO reports that SCO OpenServer 5.0.0->5.0.6 is affected. The following patch should be applied: System Security Supplement (SSE) SSE073

This patch can be obtained at: ftp://ftp.sco.com/SSE/sse073.tar.Z

See the source message for details.
Cause:   Boundary error
Underlying OS:   UNIX (Open UNIX-SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 5 2001 The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server


 Source Message Contents
Date:  Wed, 11 Apr 2001 12:55:08 -0700
Subject:  SSE073: SCO OpenServer NTP buffer overflow fix


This is a multi-part message in MIME format.
--------------C958E3CD426E9BAF801DE832
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

---------------------------------------------------
TOPIC:  NTP remote buffer overflow
PRODUCTS AFFECTED:  SCO OpenServer 5.0.0->5.0.6
PATCH: System Security Supplement (SSE) SSE073
PATCH LOCATION: ftp://ftp.sco.com/SSE/sse073.tar.Z
                                   ftp://ftp.sco.com/SSE/sse073.ltr
SUMMARY: potentially exploitable buffer overflow fixed by SSE073
DATE: April 11, 2001
---------------------------------------------------



--------------C958E3CD426E9BAF801DE832
Content-Type: text/plain; charset=us-ascii;
 name="sse073.ltr"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sse073.ltr"

System Security Enhancement (SSE) SSE073 - 11-Apr-2001

Problem:

        A buffer overflow was found by Przemyslaw Frasunek
	<venglin@freebsd.lublin.pl> in the NTP daemon.  Full exploit details
	can be found in the BUGTRAQ archive

		http://www.securityfocus.com/archive/1/174011

	On SCO OpenServer 5 Release 5.0.6 systems, the NTP daemon is /etc/ntpd.

	This exploit doesn't actually "work" on OpenServer.  However, a small
	effect can be observed.

	To observe the effect, run ntpdc and give it the "ctlstats" command.
	An exploit attempt registers as an increment of 2 to the
	"requests received" and "responses sent" counters.

	Running the fixed version of ntpd, an exploit attempt registers as +2
	"requests received", +2 "responses sent", +1 "total bad pkts" and +1
	"error msgs sent".

	We find this difference sufficient to feel confident that the _specific_
	problem has been corrected.

Patch:

        The patch is located at: ftp://ftp.sco.com/SSE/sse073.tar.Z
                                 ftp://ftp.sco.com/SSE/sse073.ltr

	This patch is applicable to all releases of OpenServer 5.
	However, the "install-sse073.sh" program to install the binary
	can be used on Release 5.0.6 ONLY.

        This patch contains a replacement for the /etc/ntpd binary in
	Release 5.0.6.  If you wish to use this binary on Releases 5.0.0
        up to 5.0.5, you can install the binary manually.  Note that
        on these older releases, /etc/xntpd (based on NTPv3) was shipped
        by default; hence, configuration files based on xntpd may have to
        be modified.


Installation:

	1. We reccommend you drop into single user mode to install this SSE
            (though this is not enforced).

        2. Uncompress and extract the SSE into a temporary directory
           of the server (eg. /tmp/sse073).

           # uncompress sse073.tar.Z

           # tar xvf sse073.tar

        3. Execute the install script.  Follow the instructions
           at the prompt.

           # ./install-sse073.sh

           Note: "Warning" messages simply explain that because a
                 specific file was not found on the current
                 server, it was not replaced.  If a system has
                 custom binaries or paths, this patch may not
                 succeed.

        4. Clean up.

	   A backup of the orginal binaries will be saved in:
               /opt/K/SCO/sse/sse073

           The following files will be left over after patch
           installation and can be removed:

           ./install-sse073.sh
           ./sse073.files.tar

           The following files will be left over after patch
           installation and can be moved to an archival
           directory in case the patches are needed again:

           ./sse073.tar
           ./sse073.doc

Checksums of the packages:

	`sum -r ./sse073.tar`: 53459
	`sum -r ./sse073.files.tar`: 61075

References:

	The vulnerability addressed in this patch was found by:

		Przemyslaw Frasunek <venglin@freebsd.lublin.pl>

	For more details, see the following BUGTRAQ archive:

		http://www.securityfocus.com/archive/1/174011

Disclaimer:

SCO believes that this patch addresses the reported vulnerabilities.
However, in order that it be released as soon as possible, this patch
has not been fully tested or packaged to SCO's normal exacting
standards.  For that reason, this patch is not officially supported.
Official supported and packaged fixes for current SCO products will
be available in due course.

--------------C958E3CD426E9BAF801DE832--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC