SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ntpd Vendors:   Mills, David L. et al
(IBM Releases Fix) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
SecurityTracker Alert ID:  1001352
SecurityTracker URL:  http://securitytracker.com/id/1001352
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 18 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).

The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.

When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.

Code for a demonstration exploit is contained in the source message.
Impact:   A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.
Solution:   IBM has released a fix for AIX. See the source message for details.
Vendor URL:  www.ibm.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (AIX)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 5 2001 The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server


 Source Message Contents
Date:  Wed, 18 Apr 2001 06:59:09 -0400
Subject:  IBM MSS Outside Advisory Redistribution: IBM AIX: Buffer Overflow


                            IBM Global Services
                         Managed Security Services
                      Outside Advisory Redistribution

----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

Tue Apr 10 11:15:04 CDT 2001
===========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:    Buffer Overflow Vulnerability in (x)ntp

PLATFORMS:        IBM AIX 4.3.x and 5.1

SOLUTION:         Apply the emergency-fixes described below.

THREAT:           Malicious user could obtain root privileges, or cause
                  a denial of service (DoS).

CERT Advisory:    Pending.

===========================================================================
                           DETAILED INFORMATION

I.  Description

   The Network Time Protocol daemon, (x)ntp, shipped with AIX contains
   a buffer overflow vulnerability that allows a malicious user, local
   or remote, to gain root privileges.

   Gaining root privileges by exploiting this vulnerability appears to
   be somewhat difficult in practice, as knowledge of the hardware-
   dependent stack registers/addresses is required for different
   architectures. Also, there does not exist much "working room" in the
   size of the stack overflow that can be accomplished, requiring
   an especially well-crafted exploit code.

   An exploit has been written and made public; it is intended for use
   on Intel architectures to gain root access. However, it causes ntp
   daemon problems when run as is. A result is likely to be a denial of
   service (DoS). The exploit code would need to be
   modified for full exploitation on the RISC6000 architecture.

   Nonetheless, IBM has found that a vulnerability in the daemon
   source code does exist, and has fixed this problem.


II. Impact

   A malicious local or remote user can use a well-crafted exploit code
   to gain root privileges on the attacked system, compromising the
   integrity of the system and its attached local network.

   If the malicious user is unable to gain root access, he or she could
   still cause a system crash (DoS) via this vulnerability.


III.  Solutions

  A.  Official fix

      IBM is working on the following fixes which will be available
      soon:

      AIX 4.3.x and 5.1: APAR assignment pending.

      NOTE: Fix will not be provided for versions prior to 4.3 as
      these are no longer supported by IBM. Affected customers are
      urged to upgrade to 4.3.3 at the latest maintenance level,
      or to 5.1, when it becomes available.

  B.  How to minimize the vulnerability

    Temporary fixes for AIX 4.3.x and 5.1 systems are available.

    The temporary fixes can be downloaded via ftp from:

    ftp://aix.software.ibm.com/aix/efixes/security/xntpd_efix.tar.Z

    The efix tarball consists of two patched xntpd binaries, one for
    AIX 4.3.x systems (xntpd.43) and one for AIX 5.1 (scheduled for
    release soon; binary is xntpd.51). A copy of this Advisory is also
    included.

    These temporary fixes have not been fully regression tested; thus,
    IBM does not warrant the fully correct functioning of the efix.
    Customers install the efix and operate the modified version of AIX
    at their own risk.

    To proceed with efix installation:

    First, verify the MD5 cryptographic hash sums of each efix files
    you obtain from unpacking the efix tarball with those given below.
These
    should match exactly; if they do not, double check the hash results
    and the download site address. If OK, contact IBM AIX Security at
    security-alert@austin.ibm.com and describe the discrepancy.


    Filename        sum             md5
    =================================================================
    xntpd.43        15698   254     66f9e21a02267eaead6f7f020f16ce8c
    xntpd.51        56685   267     6a2c7260a45c3849752f976f12c1881c


    Efix Installation Instructions:
    -------------------------------

    1. Become root, if not already done.

    2. In a scratch or tmp directory, uncompress and untar the efix:

       a. uncompress xntpd_efix.tar.Z
       b. tar -xvf xntpd_efix.tar

    3. If you are running an AIX 4.3.x system, copy the xntpd.43 file
       to /usr/sbin. Do the same if you have AIX 5.1 running, except
       copy the xntpd.51 file.

    4. Stop the ntp daemon if it is currently running:

       a. stopsrc -s xntpd

    5. Make a backup copy of the existing
       xntpd binary package in case something goes wrong with the
       installation of the efix:

       a. cp /usr/sbin/xntpd /usr/sbin/xntpd.original

    6. Now copy the efix binary to take the place of the original xntpd:

       a. cp /usr/sbin/xntpd.43 (or xntpd.51, as appropriate)
          /usr/sbin/xntpd.

    7. Check to be certain that the new xntpd is executable by root and
       is assigned proper permissions otherwise.

    8. Restart the ntp daemon:

       a. startsrc -s xntpd



IV. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information
on FixDist, and to obtain fixes via the Internet, please reference

        http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.

To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.


V.  Acknowledgements

Many thanks to Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
for discovering this vulnerability, and to the CERT/CC and
SecurityFocus' BUGTRAQ for posting notices of this security
problem.

VI.  Contact Information

Comments regarding the content of this announcement can be directed to:

   security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".

IBM and AIX are a registered trademark of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBOtWVhcXrSKQHhgFwEQKJ4gCgtmhQJ6WouopVi0pPcnlnu/Z67NcAoLiD
2wvKo+hjNY3MqAWw+QjUEOuA
=9nPJ
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC