[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] ALERT: remote root exploit in ntpd



Topic
=====
possibility of remote root exploit in ntpd (time synchronization).

Problem Description
===================
NTP (network time protocol) daemons such as ntp and xntp3 are vulnerable to
a buffer overflow that can lead to a remote root exploit.

Although currently I am not aware of a working remote root exploit it is
recommend to upgrade or patch ntp (xntp3) immediately.
This is currently one of the "hottest" issues on security related mailing
lists and there is a high possibility that a working exploit will be
found over the weekend.

Affected Systems
================
All Unix systems that run ntp (or xntp3). All versions of ntp.

Workaround
==========
If you are using ntpd only to synchronize time with external servers, i.e.,
if you are using ntpd only as a client (no machines connect to your machine
to get the time from it), then you can add the following line to you
/etc/ntp.conf file:

restrict default ignore

This was reported to prevent the exploit.

Solution
========
upgrade to patched packages or patch code yourself and recompile.
ntp.org has not yet released a new official version.

Debian 2.2 (potato)
-------------------
upgrade to the following two packages:
ntp_4.0.99g-2potato1_i386.deb and ntpdate_4.0.99g-2potato1_i386.deb

Mandrake 6.x
------------
rpm -Fvh xntp3-5.93-9.4mdk.i586.rpm

Mandrake 7.0
------------
rpm -Fvh xntp3-5.93-9.3mdk.i586.rpm

Mandrake 7.1
------------
rpm -Fvh ntp-4.0.99k-3.1mdk.i586.rpm xntp3-5.93-9.1mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh ntp-4.0.99k-3.1mdk.i586.rpm xntp3-5.93-9.2mdk.i586.rpm

All other distributions
-----------------------
If you have ntp installed (check: "rpm -qa | grep ntp") and you cannot
use the workaround, do the following (everything that follows a # is to be
understood as a command to be entered at the keyboard):
1) download ntp-4.0.99k.tar.gz (e.g., from http://www.ntp.org) and safe it,
   e.g., in /tmp.
2) # cd /usr/local/src
   # tar xzvf /tmp/ntp-4.0.99k.tar.gz
3) save everything between the following ============ lines in a file
   /usr/local/src/ntp-4.0.99k/ntp.patch

===========================================================================
--- ntpd/ntp_control.c       2000/04/22 14:53:15     1.1.1.2
+++ ntpd/ntp_control.c       2001/04/05 02:08:01     1.2
@@ -1821,9 +1821,22 @@
 					while (cp < reqend &&
 					    isspace((int)*cp))
 						cp++;
-					while (cp < reqend && *cp !=
-					    ',')
+					while (cp < reqend && *cp != ',') {
						*tp++ = *cp++;
+						if (tp >=
+						    buf + sizeof(buf) - 1) {
+#if 0  /* don't syslog for now - DoS potential on filling syslog */
+                                                       msyslog(LOG_WARNING,
+    "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+    (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+    ntohs(rmt_addr->sin_port));
+#endif
+							return (0);
+						}
+					}
					if (cp < reqend)
						cp++;
					*tp = '\0';
===========================================================================
  
  (this is a patch from NetBSD, the Debian patch is almost identical).

4) # patch -b -p0 < ntp.patch
5) # CC=gcc ./configure
6) # make > make.log 2>&1
7) check make.log for errors (warnings are ok).
8) # make install > install.log 2>&1
   (the install.log file will tell you which files got installed. Most files
    will be in /usr/local/bin/ntp*. You can then later remove the files, if
    you wish to install an upgrade for your distribution).
9) restart ntpd