dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Progeny Security Advisory: ntpd remote buffer overflow

Apr 09, 2001, 23:00 (0 Talkback[s])
Date:         Mon, 9 Apr 2001 06:31:27 -0500
From: Progeny Security Team <security@PROGENY.COM>
Subject:      PROGENY-SA-2001-02: ntpd remote buffer overflow

 ---------------------------------------------------------------------------
 PROGENY LINUX SYSTEMS -- SECURITY ADVISORY               PROGENY-SA-2001-02
 ---------------------------------------------------------------------------

    Topic:          ntpd remote buffer overflow

    Category:       net
    Module:         ntp
    Announced:      2001-04-09
    Credits:        Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
                    BUGTRAQ <BUGTRAQ@securityfocus.com>
                    Poul-Henning Kamp <phk@freebsd.org>
    Affects:        Progeny Debian (ntp prior to 4.0.99g-2.0progeny3)
                    Debian GNU/Linux (ntp prior to 4.0.99g-2potato1)
    Vendor-Status:  New Version Released (ntp_4.0.99g-2.0progeny3)
    Corrected:      2001-04-09
    Progeny Only:   NO

    $Id: PROGENY-SA-2001-02,v 1.6 2001/04/09 08:39:58 csg Exp $

 ---------------------------------------------------------------------------


SYNOPSIS

Versions of the Network Time Protocol Daemon (ntpd) previous to and
including 4.0.99k have a remote buffer overflow which may lead to a
remote root exploit.


PROBLEM DESCRIPTION

The Network Time Protocol Daemon is vulnerable to a remote buffer
overflow attack which could potentially be exploited to gain remote root
access.

The buffer overflow occurs when building a response to a query with a
large readvar argument.  The shellcode executed must be less than 70
bytes, otherwise the destination buffer is damaged.  This makes the
vulnerability difficult but not impossible to exploit.

Furthermore, it should be noted that it is easy to spoof the source
address of potential malicious queries to an ntp server.


IMPACT

Remote users could adapt available exploits to gain root privileges.


SOLUTION

Upgrade to a fixed version of ntpd.  You may use Progeny's ntp package,
version 4.0.99g-2.0progeny3, for convenience.


WORKAROUND

No known workaround exists for this vulnerability.


UPDATING VIA APT-GET

 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
    security update repository:

        deb http://archive.progeny.com/progeny updates/newton/

 2. Update your cache of available packages for apt(8).

    Example:

        # apt-get update

 3. Using apt(8), install the new kernel package.  apt(8) will download
    the update, verify it's integrity with md5, and then install the
    package on your system with dpkg(8).

    Example:

        # apt-get install ntp

 4. Since this update installs a new version of the ntp daemon, the
    security fixes cannot take effect until you restart ntpd.  It is
    advisable to restart ntpd as soon as possible.

    Example:

        # /etc/init.d/ntp restart


UPDATING VIA DPKG

 1. Using your preferred FTP/HTTP client to retrieve the following
    updated files from Progeny's update archive at:

    http://archive.progeny.com/pub/progeny/updates/newton/

    Filename                             MD5 Checksum
    ------------------------------------ --------------------------------
    ntp_4.0.99g-2.0progeny3_i386.deb     edac3588fc782c6729b90719e7f41c5b

    Example:

        # wget http://archive.progeny.com/pub/progeny/updates/newton/ntp_4.0.99g-2.0progeny3_i386.deb

 2. Use the md5sum command on the retrieved file to verify that it matches
    the md5sum provided in this advisory:

    Example:

        # md5sum ntp_4.0.99g-2.0progeny3_i386.deb

 3. Then install the replacement package(s) using the dpkg command.

    Example:

        # dpkg --install ntp_4.0.99g-2.0progeny3_i386.deb

 4. Since this update installs a new version of the ntp daemon, the
    security fixes cannot take effect until you restart ntpd.  It is
    advisable to restart ntpd as soon as possible.

    Example:

        # /etc/init.d/ntp restart


MORE INFORMATION

While (reportedly) all upstream versions of ntp previous to and
including 4.0.99k are vulnerable, the Progeny Debian
4.0.99g-2.0progeny3 and Debian GNU/Linux 4.0.99g-2potato1 packages
have been patched to fix this problem.

 ---------------------------------------------------------------------------

pub  1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>