[SLO-TIME] Buffer overflow in xntpd (v3) and ntpd (v4)

Mark Martinec Mark.Martinec@ijs.si
Fri, 06 Apr 2001 11:32:00 +0200


From: "David L. Mills" <mills@udel.edu>
Newsgroups: comp.protocols.time.ntp
Subject: Re: Buffer overflow in xntp v4?
Organization: University of Delaware, EE/CIS Lab
Date: Fri, 06 Apr 2001 05:16:49 +0100
NNTP-Posting-Date: 6 Apr 2001 05:19:46 GMT
Message-ID: <3ACD4331.2A4F8207@udel.edu>

Folks,

There is indeed a vulnerability in all versions of NTP since 1990. A
simple generic patch applies to all versions and has been submitted to
the CERT. Without it and subject to intricate machine/OS/compiler
analysis it is possible to coredump the daemon. It seems very unlikely
that the vulnerability can extend to root compromise. From what I can
determine here, and reported to the CERT, the test program that purports
to reveal the consequences
of the problem, in particular a possible root compromise, is broken and
cannot be relied upon to present the facts. This is not to say the tha
vulnerability does not exist, just that the test program is not a
reliable indicator. For instance, the program reports a compromise when
the NTP daemon was in fact not running at all. Further investigation
should clarify the situation, but for now the hazard may have been
exaggerated.

Dave

Mike Iglesias wrote:
> 
> A message on the Bugtraq mailing list today says that there's a buffer
> overflow problem with ntpd <= 4.0.99k, and was supposedly tested against
> FreeBSD 4.2-STABLE and Redhat Linux 7.0 with 4.0.99k.  RH 7.0 comes
> with 4.0.99j, which must need a different offset than 4.0.99k because
> I can't get the exploit to work.
> 
> Does anyone have any more information on this?
> 
> --
> Mike Iglesias                          Internet:    iglesias@draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069