Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.139 -- NetBSD Security Advisory 2001-004
NTP remote buffer overflow
9 April 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ntp
Vendor: NetBSD
Operating System: NetBSD
BSD
Unix
Impact: Root Compromise
Access Required: Remote
Ref: ESB-2001.138
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2001-004
=================================
Topic: NTP remote buffer overflow
Version: All versions running the NTP time service
Severity: Potential remote root execution compromise
Fixed: Thursday 5 April, 2001
Abstract
========
The NTP time synchronisation service shipped with NetBSD and many
other systems is vulnerable to a buffer-overflow attack. This
vulnerability may lead to arbitrary code execution as the user running
the NTP daemon, usually root.
Technical Details
=================
Technical details of the bug were announced on the bugtraq mailing
list, and are not replicated here. The posting archive can be found
at:
http://www.securityfocus.com/archive/1/174011
Known exploit code has been published for other operating systems, and
leads to a remote root compromise on those systems. This exploit
causes a denial of service, crashing the NTP daemon, when run against
a NetBSD system. The capability to exploit the vulnerability and
execute code has not yet been confirmed on NetBSD, though it is
presumed to exist. It is likely that minor alterations to the detail
of the published exploit code will produce a viable remote root attack.
Note that source addresses of NTP UDP time packets are easily forged,
so IP address based restrictions on incoming NTP traffic are likely to
be of limited value.
Solutions and Workarounds
=========================
The patch attached below has been incorporated into NetBSD-current,
and pulled up into the NetBSD 1.4 and 1.5 release branches.
Unless systems depend critically on NTP for very accurate time, or
have very poor local clocks, the NetBSD project recommends that
running NTP daemons be temporarily disabled immediately, to prevent
the risk of compromise while fixes are being applied. Users should
make their own judgement, but most systems should be able to run for
several days without significant clock drift. This allows
administrators flexibility in managing the update and change process.
Systems running releases older than NetBSD 1.4 should be upgraded to
NetBSD 1.4.3 before applying the fixes described here.
Systems running NetBSD-current dated from before 2001-04-05 should be
upgraded to NetBSD-current dated 2001-04-05 or later.
Systems running NetBSD releases 1.4.x or 1.5 should apply the
following patches. These patches have been pulled up to the release
branches, users tracking the release branches should update to a code
newer than 2001-04-05. The two patches are the same, apart from some
formatting differences and relocation of the file that occurred in the
interim.
Note: the syslog()ing code in the original patch from FreeBSD is
disabled but included, as some people may want to enable syslog()ing
the source of the bad packets. This was disabled in NetBSD to prevent
a potential resource exhaustion DoS against syslog, and as the address
is likely to be spoofed.
For NetBSD-1.5:
apply the following patch to /usr/src/dist/ntp/ntpd/ntp_control.c
- - --- ntp_control.c 2000/04/22 14:53:15 1.1.1.2
+++ ntp_control.c 2001/04/05 02:08:01 1.2
@@ -1812,9 +1812,22 @@
while (cp < reqend &&
isspace((int)*cp))
cp++;
- - - while (cp < reqend && *cp !=
- - - ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ if (tp >=
+ buf + sizeof(buf) - 1) {
+#if 0 /* don't syslog for now - DoS potential on filling syslog */
+ msyslog(LOG_WARNING,
+ "Attempted "ntpdx" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)
",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port));
+#endif
+ return (0);
+ }
+ }
if (cp < reqend)
cp++;
*tp = '�';
For NetBSD-1.4.x:
apply the following patch to /usr/src/usr.sbin/xntp/xntpd/ntp_control.c
- - --- ntp_control.c 1998/08/27 20:31:02 1.6
+++ ntp_control.c 2001/04/05 01:50:18
@@ -1757,8 +1757,22 @@ ctl_getitem(var_list, data)
tp = buf;
while (cp < reqend && isspace(*cp))
cp++;
- - - while (cp < reqend && *cp != ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ if (tp >=
+ buf + sizeof(buf) - 1) {
+#if 0 /* don't syslog for now - DoS potential on filling syslog */
+ msyslog(LOG_WARNING,
+ "Attempted "ntpdx" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)
",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port));
+#endif
+ return (0);
+ }
+ }
if (cp < reqend)
cp++;
*tp = '�';
Thanks To
=========
Przemyslaw Frasunek for discovering and publicising the issue.
Poul-Henning Kamp and Dima Ruban for fixes from the FreeBSD tree.
Jason Thorpe for changes to not overrun the end of the static buffer
and disabling syslog(). Simon Burge for responding to the incident
and applying the fixes.
Revision History
================
2001-04-05 Initial Release
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2001-004.txt,v 1.5 2001/04/05 13:08:39 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOsxgTz5Ru2/4N2IFAQHTfgP/Y3+71mnsXLllQwjwU7l0qPhbIduQdm+b
RmGLv+lyXfTgNZaU4o9IufKUWyq8+rDvxckiTG/P7VtLhx9C8JgBjy0Kwu9bc0B5
sVYBWrytnkTDlcHlxD7CEsRFc/ygYvVZhYWdQP6NK8BsnwC04RHwtc6BD/UzF8aH
jaHZ38ilLJQ=
=uW91
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOtHVeCh9+71yA2DNAQED5gP+LHAVySRQf10uKVJ7ydzuoJx1UJd5N3qK
w7FuRRGrOJDeHOl0QPdvgP291l5uJqqyO+/uf4a67jqLhgl4r6/z0bnI/3+xHOrB
EODKZrw3+zzxGBR+q5BQii0A+7z/7z4/HcyX/8GE0lJRr8peMWP9W9BIJ1pfvCD4
Wy2W6etP8DU=
=kVu3
-----END PGP SIGNATURE-----