[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] ALERT: remote root exploit in ntpd
- To: linux-security
- Subject: [linux-security] ALERT: remote root exploit in ntpd
- From: Martin Siegert <siegert@sfu.ca>
- Date: Fri, 6 Apr 2001 19:09:23 -0700
- User-Agent: Mutt/1.2.5i
Topic
=====
possibility of remote root exploit in ntpd (time synchronization).
Problem Description
===================
NTP (network time protocol) daemons such as ntp and xntp3 are vulnerable to
a buffer overflow that can lead to a remote root exploit.
Although currently I am not aware of a working remote root exploit it is
recommend to upgrade or patch ntp (xntp3) immediately.
This is currently one of the "hottest" issues on security related mailing
lists and there is a high possibility that a working exploit will be
found over the weekend.
Affected Systems
================
All Unix systems that run ntp (or xntp3). All versions of ntp.
Workaround
==========
If you are using ntpd only to synchronize time with external servers, i.e.,
if you are using ntpd only as a client (no machines connect to your machine
to get the time from it), then you can add the following line to you
/etc/ntp.conf file:
restrict default ignore
This was reported to prevent the exploit.
Solution
========
upgrade to patched packages or patch code yourself and recompile.
ntp.org has not yet released a new official version.
Debian 2.2 (potato)
-------------------
upgrade to the following two packages:
ntp_4.0.99g-2potato1_i386.deb and ntpdate_4.0.99g-2potato1_i386.deb
Mandrake 6.x
------------
rpm -Fvh xntp3-5.93-9.4mdk.i586.rpm
Mandrake 7.0
------------
rpm -Fvh xntp3-5.93-9.3mdk.i586.rpm
Mandrake 7.1
------------
rpm -Fvh ntp-4.0.99k-3.1mdk.i586.rpm xntp3-5.93-9.1mdk.i586.rpm
Mandrake 7.2
------------
rpm -Fvh ntp-4.0.99k-3.1mdk.i586.rpm xntp3-5.93-9.2mdk.i586.rpm
All other distributions
-----------------------
If you have ntp installed (check: "rpm -qa | grep ntp") and you cannot
use the workaround, do the following (everything that follows a # is to be
understood as a command to be entered at the keyboard):
1) download ntp-4.0.99k.tar.gz (e.g., from http://www.ntp.org) and safe it,
e.g., in /tmp.
2) # cd /usr/local/src
# tar xzvf /tmp/ntp-4.0.99k.tar.gz
3) save everything between the following ============ lines in a file
/usr/local/src/ntp-4.0.99k/ntp.patch
===========================================================================
--- ntpd/ntp_control.c 2000/04/22 14:53:15 1.1.1.2
+++ ntpd/ntp_control.c 2001/04/05 02:08:01 1.2
@@ -1821,9 +1821,22 @@
while (cp < reqend &&
isspace((int)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ if (tp >=
+ buf + sizeof(buf) - 1) {
+#if 0 /* don't syslog for now - DoS potential on filling syslog */
+ msyslog(LOG_WARNING,
+ "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port));
+#endif
+ return (0);
+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
===========================================================================
(this is a patch from NetBSD, the Debian patch is almost identical).
4) # patch -b -p0 < ntp.patch
5) # CC=gcc ./configure
6) # make > make.log 2>&1
7) check make.log for errors (warnings are ok).
8) # make install > install.log 2>&1
(the install.log file will tell you which files got installed. Most files
will be in /usr/local/bin/ntp*. You can then later remove the files, if
you wish to install an upgrade for your distribution).
9) restart ntpd