Progeny Security Advisory: [UPDATE] ntpd remote buffer overflow

From: Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow
Date: Fri, 13 Apr 2001 11:05:50 -0500 (EST)

---

PROGENY LINUX SYSTEMS — SECURITY ADVISORY PROGENY-SA-2001-02A

Topic: ntpd remote buffer overflow

    Category:       net
    Module:         ntp
    Announced:      2001-04-09
    Credits:        Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
                    BUGTRAQ <BUGTRAQ@securityfocus.com>
                    Poul-Henning Kamp <phk@freebsd.org>
    Affects:        Progeny Debian (ntp prior to 4.0.99g-2.0progeny6)
                    Debian GNU/Linux (ntp prior to 4.0.99g-2potato2)
    Vendor-Status:  New Version Released (ntp_4.0.99g-2.0progeny6)
    Corrected:      2001-04-12

Progeny Only: NO

$Id: PROGENY-SA-2001-02,v 1.11 2001/04/13 15:54:28 jdaily Exp
$

---

UPDATE SYNOPSIS

This is an update to advisory PROGENY-SA-2001-02. The original
fix for the ntpd vulnerability described below introduced a
potential denial of service. This has been corrected in a new
package, ntp_4.0.99g-2.0progeny6.

SYNOPSIS

Versions of the Network Time Protocol Daemon (ntpd) previous to
and including 4.0.99k have a remote buffer overflow which may lead
to a remote root exploit.

PROBLEM DESCRIPTION

The Network Time Protocol Daemon is vulnerable to a remote
buffer overflow attack which could potentially be exploited to gain
remote root access.

The buffer overflow occurs when building a response to a query
with a large readvar argument. The shellcode executed must be less
than 70 bytes, otherwise the destination buffer is damaged. This
makes the vulnerability difficult but not impossible to
exploit.

Furthermore, it should be noted that it is easy to spoof the
source address of potential malicious queries to an ntp server.

IMPACT

Remote users could adapt available exploits to gain root
privileges.

SOLUTION

Upgrade to a fixed version of ntpd. You may use Progeny’s ntp
package, version 4.0.99g-2.0progeny6, for convenience.

WORKAROUND

No known workaround exists for this vulnerability.

UPDATING VIA APT-GET

1. Ensure that your /etc/apt/sources.list file has a URI for
   Progeny’s security update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. Using apt(8), install the new package. apt(8) will
download

the update, verify its integrity with md5, and then install the
package on your system with dpkg(8).

Example:

# apt-get install ntp

4. Since this update installs a new version of the ntp daemon,
we

recommend restarting it following installation to make certain
the old version is not still running.

Example:

# /etc/init.d/ntp restart

UPDATING VIA DPKG

1. Using your preferred FTP/HTTP client to retrieve the following
   updated files from Progeny’s update archive at:

http://archive.progeny.com/progeny/updates/newton/

    Filename                             MD5 Checksum
    ntp_4.0.99g-2.0progeny6_i386.deb     8ce73b29f7d4b77dda190c3b31c42255

Example:

# wget
http://archive.progeny.com/progeny/updates/newton/ntp_4.0.99g-2.0progeny6_i386.deb

2. Use the md5sum command on the retrieved file to verify that
it matches

the md5sum provided in this advisory:

Example:

# md5sum ntp_4.0.99g-2.0progeny6_i386.deb

3. Then install the replacement package(s) using the dpkg
command.

Example:

# dpkg –install ntp_4.0.99g-2.0progeny6_i386.deb

4. Since this update installs a new version of the ntp daemon,
we

recommend restarting it following installation to make certain
the old version is not still running.

Example:

# /etc/init.d/ntp restart

MORE INFORMATION

While (reportedly) all upstream versions of ntp previous to and
including 4.0.99k are vulnerable, the Progeny Debian
4.0.99g-2.0progeny6 and Debian GNU/Linux 4.0.99g-2potato2 packages
have been patched to fix this problem.