dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Progeny Security Advisory: [UPDATE] ntpd remote buffer overflow

Apr 13, 2001, 19:36 (1 Talkback[s])
From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow
Date: Fri, 13 Apr 2001 11:05:50 -0500 (EST)

PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-02A

Topic: ntpd remote buffer overflow

    Category:       net
    Module:         ntp
    Announced:      2001-04-09
    Credits:        Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
                    BUGTRAQ <BUGTRAQ@securityfocus.com>
                    Poul-Henning Kamp <phk@freebsd.org>
    Affects:        Progeny Debian (ntp prior to 4.0.99g-2.0progeny6)
                    Debian GNU/Linux (ntp prior to 4.0.99g-2potato2)
    Vendor-Status:  New Version Released (ntp_4.0.99g-2.0progeny6)
    Corrected:      2001-04-12

Progeny Only: NO

$Id: PROGENY-SA-2001-02,v 1.11 2001/04/13 15:54:28 jdaily Exp $


UPDATE SYNOPSIS

This is an update to advisory PROGENY-SA-2001-02. The original fix for the ntpd vulnerability described below introduced a potential denial of service. This has been corrected in a new package, ntp_4.0.99g-2.0progeny6.

SYNOPSIS

Versions of the Network Time Protocol Daemon (ntpd) previous to and including 4.0.99k have a remote buffer overflow which may lead to a remote root exploit.

PROBLEM DESCRIPTION

The Network Time Protocol Daemon is vulnerable to a remote buffer overflow attack which could potentially be exploited to gain remote root access.

The buffer overflow occurs when building a response to a query with a large readvar argument. The shellcode executed must be less than 70 bytes, otherwise the destination buffer is damaged. This makes the vulnerability difficult but not impossible to exploit.

Furthermore, it should be noted that it is easy to spoof the source address of potential malicious queries to an ntp server.

IMPACT

Remote users could adapt available exploits to gain root privileges.

SOLUTION

Upgrade to a fixed version of ntpd. You may use Progeny's ntp package, version 4.0.99g-2.0progeny6, for convenience.

WORKAROUND

No known workaround exists for this vulnerability.

UPDATING VIA APT-GET

  1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's security update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. Using apt(8), install the new package. apt(8) will download

the update, verify its integrity with md5, and then install the package on your system with dpkg(8).

Example:

# apt-get install ntp

4. Since this update installs a new version of the ntp daemon, we

recommend restarting it following installation to make certain the old version is not still running.

Example:

# /etc/init.d/ntp restart

UPDATING VIA DPKG

  1. Using your preferred FTP/HTTP client to retrieve the following updated files from Progeny's update archive at:

http://archive.progeny.com/progeny/updates/newton/

    Filename                             MD5 Checksum
    ntp_4.0.99g-2.0progeny6_i386.deb     8ce73b29f7d4b77dda190c3b31c42255

Example:

# wget http://archive.progeny.com/progeny/updates/newton/ntp_4.0.99g-2.0progeny6_i386.deb

2. Use the md5sum command on the retrieved file to verify that it matches

the md5sum provided in this advisory:

Example:

# md5sum ntp_4.0.99g-2.0progeny6_i386.deb

3. Then install the replacement package(s) using the dpkg command.

Example:

# dpkg --install ntp_4.0.99g-2.0progeny6_i386.deb

4. Since this update installs a new version of the ntp daemon, we

recommend restarting it following installation to make certain the old version is not still running.

Example:

# /etc/init.d/ntp restart

MORE INFORMATION

While (reportedly) all upstream versions of ntp previous to and including 4.0.99k are vulnerable, the Progeny Debian 4.0.99g-2.0progeny6 and Debian GNU/Linux 4.0.99g-2potato2 packages have been patched to fix this problem.