Date: Mon, 9 Apr 2001 06:31:27 -0500 From: Progeny Security Team <[email protected]> Subject: PROGENY-SA-2001-02: ntpd remote buffer overflow --------------------------------------------------------------------------- PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-02 --------------------------------------------------------------------------- Topic: ntpd remote buffer overflow Category: net Module: ntp Announced: 2001-04-09 Credits: Przemyslaw Frasunek <[email protected]> BUGTRAQ <[email protected]> Poul-Henning Kamp <[email protected]> Affects: Progeny Debian (ntp prior to 4.0.99g-2.0progeny3) Debian GNU/Linux (ntp prior to 4.0.99g-2potato1) Vendor-Status: New Version Released (ntp_4.0.99g-2.0progeny3) Corrected: 2001-04-09 Progeny Only: NO $Id: PROGENY-SA-2001-02,v 1.6 2001/04/09 08:39:58 csg Exp $ --------------------------------------------------------------------------- SYNOPSIS Versions of the Network Time Protocol Daemon (ntpd) previous to and including 4.0.99k have a remote buffer overflow which may lead to a remote root exploit. PROBLEM DESCRIPTION The Network Time Protocol Daemon is vulnerable to a remote buffer overflow attack which could potentially be exploited to gain remote root access. The buffer overflow occurs when building a response to a query with a large readvar argument. The shellcode executed must be less than 70 bytes, otherwise the destination buffer is damaged. This makes the vulnerability difficult but not impossible to exploit. Furthermore, it should be noted that it is easy to spoof the source address of potential malicious queries to an ntp server. IMPACT Remote users could adapt available exploits to gain root privileges. SOLUTION Upgrade to a fixed version of ntpd. You may use Progeny's ntp package, version 4.0.99g-2.0progeny3, for convenience. WORKAROUND No known workaround exists for this vulnerability. UPDATING VIA APT-GET 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's security update repository: deb http://archive.progeny.com/progeny updates/newton/ 2. Update your cache of available packages for apt(8). Example: # apt-get update 3. Using apt(8), install the new kernel package. apt(8) will download the update, verify it's integrity with md5, and then install the package on your system with dpkg(8). Example: # apt-get install ntp 4. Since this update installs a new version of the ntp daemon, the security fixes cannot take effect until you restart ntpd. It is advisable to restart ntpd as soon as possible. Example: # /etc/init.d/ntp restart UPDATING VIA DPKG 1. Using your preferred FTP/HTTP client to retrieve the following updated files from Progeny's update archive at: http://archive.progeny.com/pub/progeny/updates/newton/ Filename MD5 Checksum ------------------------------------ -------------------------------- ntp_4.0.99g-2.0progeny3_i386.deb edac3588fc782c6729b90719e7f41c5b Example: # wget http://archive.progeny.com/pub/progeny/updates/newton/ntp_4.0.99g-2.0progeny3_i386.deb 2. Use the md5sum command on the retrieved file to verify that it matches the md5sum provided in this advisory: Example: # md5sum ntp_4.0.99g-2.0progeny3_i386.deb 3. Then install the replacement package(s) using the dpkg command. Example: # dpkg --install ntp_4.0.99g-2.0progeny3_i386.deb 4. Since this update installs a new version of the ntp daemon, the security fixes cannot take effect until you restart ntpd. It is advisable to restart ntpd as soon as possible. Example: # /etc/init.d/ntp restart MORE INFORMATION While (reportedly) all upstream versions of ntp previous to and including 4.0.99k are vulnerable, the Progeny Debian 4.0.99g-2.0progeny3 and Debian GNU/Linux 4.0.99g-2potato1 packages have been patched to fix this problem. --------------------------------------------------------------------------- pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <[email protected]>
Progeny Security Advisory: ntpd remote buffer overflow
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis