[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] ALERT: remote root exploit in ntpd (addendum)

To: linux-security
Subject: Re: [linux-security] ALERT: remote root exploit in ntpd (addendum)
From: Martin Siegert <siegert@sfu.ca>
Date: Tue, 10 Apr 2001 11:53:15 -0700
In-Reply-To: <20010406190923.A14853@stikine.ucs.sfu.ca>; from siegert@sfu.ca on Fri, Apr 06, 2001 at 07:09:23PM -0700
References: <20010406190923.A14853@stikine.ucs.sfu.ca>
User-Agent: Mutt/1.2.5i

On Fri, Apr 06, 2001 at 07:09:23PM -0700, Martin Siegert wrote:
> Topic
> =====
> possibility of remote root exploit in ntpd (time synchronization).

Topic
=====
Off-by-one error in patched ntp versions.

Problem Description
===================
Some of the recently released patches for ntp contain an off-by-one error
that could be used to crash ntpd (no exploit possible).

Affected Systems
================
- Debian 
- Systems with a patched ntp using the NetBSD patch from the previous
  advisory.
The new RedHat RPMs are not affected by this.
Status of the other distributions unknown.

Solution
========

Debian 2.2 (potato)
-------------------
upgrade to ntp_4.0.99g-2potato2_i386.deb and ntpdate_4.0.99g-2potato2_i386.deb

Other affected systems
----------------------
(updated patch)
=====(cut here)==========================================================
--- ntpd/ntp_control.c       2000/04/22 14:53:15     1.1.1.2
+++ ntpd/ntp_control.c       2001/04/05 02:08:01     1.2
@@ -1821,9 +1821,22 @@
 					while (cp < reqend &&
 					    isspace((int)*cp))
 						cp++;
-					while (cp < reqend && *cp !=
-					    ',')
+					while (cp < reqend && *cp != ',') {
						*tp++ = *cp++;
+						if (tp >=
+						    buf + sizeof(buf)) {
+#if 0  /* don't syslog for now - DoS potential on filling syslog */
+                                                       msyslog(LOG_WARNING,
+    "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+    ntohs(rmt_addr->sin_port));
+#endif
+							return (0);
+						}
+					}
					if (cp < reqend)
						cp++;
					*tp = '\0';
============================================================================
Apply the patch as before with
# patch -b -p0 < ntp.patch

Alternatively, you can downloaded the intermediate realease
ntp-4.0.99k23.tar.gz available from www.ntp.org.

Compilation and installation is as before:
# CC=gcc ./configure
# make > make.log 2>&1
# make install > install.log 2>&1
restart ntpd

References:
- [linux-security] ALERT: remote root exploit in ntpd
  - From: Martin Siegert <siegert@sfu.ca>
- [linux-security] ALERT: remote root exploit in ntpd
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: Re: [linux-security] Weaknesses in the SSH protocol
Next by Date: Re: [linux-security] local root exploit in Linux kernel (redhat, debian)
Prev by thread: Re: [linux-security] ALERT: remote root exploit in ntpd (redhat, slackware)
Next by thread: [linux-security] Weaknesses in the SSH protocol
Index(es):
- Date
- Thread