Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Sun Issues Fix for E10K Server) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
|
|
SecurityTracker Alert ID: 1004207 |
|
SecurityTracker URL: http://securitytracker.com/id/1004207
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 2 2002
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).
The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.
When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.
Code for a demonstration exploit is contained in the source message.
|
Impact:
A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.
|
Solution:
The vendor has issued a patch for Solaris 2.5.1 for the E10000 server. All of the available patches are listed below.
SPARC
Solaris 2.5.1 (for E10k only) with patch 112770-01 or later
Solaris 2.6 with patch 107298-03 or later
Solaris 7 with patch 109409-04 or later
Solaris 8 with patch 109667-04 or later
Intel
Solaris 2.6 with patch 107299-03 or later
Solaris 7 with patch 109410-03 or later
Solaris 8 with patch 109668-04 or later
|
Vendor URL: sunsolve.sun.com/security/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 02 May 2002 09:57:08 -0400
Subject: Sun Alert 40771
|
DOCUMENT ID: 40771
SYNOPSIS: Buffer Overflow in xntpd(1m)
DETAIL DESCRIPTION:
Sun(sm) Alert Notification
Sun Alert ID: 40771
Synopsis: Buffer Overflow in xntpd(1m)
Category: Security
Product: Solaris
BugIDs: 4434235
Avoidance: Patch
State: Resolved
Date Released: 23-Oct-2001, 01-May-2002
Date Closed: 23-Oct-2001
Date Modified: 01-May-2002
1. Impact
It is possible for unprivileged local or remote users to cause
xntpd(1M), the Network Time Protocol daemon, to dump core.
2. Contributing Factors
This issue can occur in the following releases:
SPARC
Solaris 2.5.1 (for E10K only) without patch 112770-01
Solaris 2.6 without patch 107298-03
Solaris 7 without patch 109409-04
Solaris 8 without patch 109667-04
Intel
Solaris 2.6 without patch 107299-03
Solaris 7 without patch 109410-03
Solaris 8 without patch 109668-04
Note: xntpd(1m) was not supplied by Sun for earlier releases than
Solaris 2.6 except for the Enterprise 10000 (E10K).
3. Symptoms
The xntpd daemon will no longer be running on the affected system. This
can be checked by running the following command:
/usr/bin/ps -ef | grep xntpd
If xntpd is running you will see output similar to this:
root 201 1 0 Oct 15 ? 0:00
/usr/lib/inet/xntpd
It is not possible to tell if xntpd has died because of this problem or
a separate issue.
SOLUTION SUMMARY:
4. Relief/Workaround
There is no workaround for this issue. To restart xntpd run the
following as root:
# /usr/init.d/xntpd start
5. Resolution
This issue is addressed in the following releases:
SPARC
Solaris 2.5.1 (for E10k only) with patch 112770-01 or later
Solaris 2.6 with patch 107298-03 or later
Solaris 7 with patch 109409-04 or later
Solaris 8 with patch 109667-04 or later
Intel
Solaris 2.6 with patch 107299-03 or later
Solaris 7 with patch 109410-03 or later
Solaris 8 with patch 109668-04 or later
Change History
01-May-2002:
Date Released: 23-Oct-2001, 01-May-2002
Updated Contributing Factors and Resolution to include patch for E10K
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.
Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road, Palo
Alto, CA 94303 U.S.A. All rights reserved.
|
|
Go to the Top of This SecurityTracker Archive Page
|
