Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
(FreeBSD Releases Fix) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
SecurityTracker Alert ID: 1001302|
SecurityTracker URL: http://securitytracker.com/id/1001302
(Links to External Site)
Date: Apr 13 2001
Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).|
The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.
When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.
Code for a demonstration exploit is contained in the source message.
A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.|
FreeBSD has released a fix. See the source message or the vendor advisory for more information.|
Vendor URL: www.freebsd.org/ (Links to External Site)
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Thu, 12 Apr 2001 13:58:18 -0700 (PDT)|
Subject: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-01:31 Security Advisory
Topic: ntpd contains potential remote compromise
Credits: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
FreeBSD 3.5-STABLE and 4.2-STABLE prior to the
Ports collection prior to the correction date.
Corrected: 2001-04-06 (FreeBSD 4.2-STABLE, 3.5-STABLE, and ports)
Vendor status: Vendor notified.
FreeBSD only: NO
The ntpd daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a
reference time source. Older versions of ntpd, such as those in
FreeBSD 3.x, were named xntpd.
II. Problem Description
An overflowable buffer exists in the ntpd daemon related to the
building of a response for a query with a large readvar argument.
Due to insufficient bounds checking, a remote attacker may be able
to cause arbitrary code to be executed as the user running the
ntpd daemon, usually root.
All versions of FreeBSD prior to the correction date, including
FreeBSD 3.5.1 and 4.2, and versions of the ntpd port prior to
ntp-4.0.99k_2 contain this problem. The base system and ports
collections that will ship with FreeBSD 4.3 do not contain this
problem since it was corrected before the release.
Malicious remote users may be able to execute arbitrary code on an
ntpd server as the user running the ntpd daemon, usually root.
The ntpd daemon is not enabled by default. If you have not enabled
ntpd, your system is not vulnerable.
Disable the ntpd daemon using the following command:
# kill -KILL `cat /var/run/ntpd.pid`
Additionally, the ntpd daemon should be disabled in the system's
startup configuration file /etc/rc.conf, normally accomplished by
changing "xntpd_enable=YES" to "xntpd_enable=NO".
Since NTP is a stateless UDP-based protocol, source addresses can be
spoofed rendering firewalling ineffective for stopping this
One of the following:
1) Upgrade to FreeBSD 4.2-STABLE or 3.5.1-STABLE after the correction
2) Download the patch and detached PGP signature from the following
The following patch applies to FreeBSD 4.x.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch.asc
The folllowing patch applies to FreeBSD 3.x.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch.asc
Verify the detached signature using your PGP utility.
Issue the following commands as root:
# cd /usr/src
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/ntp
# make all install
# cd /usr/src
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/xntpd
# make all install
Finally, if ntpd is already running then kill and restart the ntpd
daemon: perform the following command as root:
# kill -KILL `cat /var/run/ntpd.pid` && /usr/sbin/ntpd
Use one of the following options to upgrade the ntpd software, then
kill and restart the ntpd daemon if it is already running.
To kill and restart the ntpd daemon, perform the following command as
# kill -KILL `cat /var/run/ntpd.pid` && /usr/local/sbin/ntpd
1) Upgrade your entire ports collection and rebuild the ntpd port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
NOTE: It may be several days before updated packages are available.
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) download a new port skeleton for the ntpd port from:
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: FreeBSD: The Power To Serve
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Go to the Top of This SecurityTracker Archive Page