6336443 2001-04-06 17:04 -0400 /35 rader/ Dick St.Peters <stpeters@NETHEAVEN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 09:15 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: stpeters@NETHEAVEN.COM
Mottagare: Bugtraq (import) <16396>
Kommentar till text 6328704 av Stephen Clouse <stephenc@THEIQGROUP.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: "Dick St.Peters" <stpeters@NETHEAVEN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <15054.12126.326386.788772@saint.heaven.net>
Stephen Clouse writes:
> Having no effect on ntp-4.0.99k compiled from official source on Slackware
> 7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
> mode didn't change).
Run "ntpq -c rv hostname" and you'll see it does have an effect, just
not a fatal one.
$ ntpq -c rv min0 status=0644 leap_none, sync_ntp, 4 events,
event_peer/strat_chg, version="ntpd 4.0.99k Thu Apr 5 13:59:58 EDT
2001 (1)", processor="i586",
system="M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-k^_^M-^Iv^H1M-@M-^HF^GM-^IF^LM-0^KM-^IM-sM-^MN^HM-^MV^LM-MM-^@1M-[M-^IM-X@M-MM-^@M-hM-\M-^?M-^?M-^?/tmp/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PwM-wM-^?M-?wM-wM-^?M-?M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P,
leap=00, stratum=3, precision=-17, rootdelay=27.130,
rootdispersion=60.163, peer=40365, refid=extreme.heaven.net,
reftime=be78ab69.f8c7192e Fri, Apr 6 2001 16:54:01.971, poll=10,
clock=be78acb0.8b546d3f Fri, Apr 6 2001 16:59:28.544, state=4,
phase=0.235, frequency=78.946, jitter=7.984, stability=0.008
That's against ntpd/4.0.99k on RedHat/Immunix, not Slackware, but I
doubt that matters since the same thing happens to ntpd/4.0.9k on an
old Sparc II running SunOS4.1.3.
--
Dick St.Peters, stpeters@NetHeaven.com
Gatekeeper, NetHeaven, Saratoga Springs, NY
Saratoga/Albany/Amsterdam/BoltonLanding/Cobleskill/Greenwich/
GlensFalls/LakePlacid/NorthCreek/Plattsburgh/...
Oldest Internet service based in the Adirondack-Albany region
(6336443) /Dick St.Peters <stpeters@NETHEAVEN.COM>/(Ombruten)
6336445 2001-04-06 22:36 -0400 /16 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 09:15 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16397>
Kommentar till text 6329452 av Durval Menezes <durval@TMP.COM.BR>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
On Fri, Apr 06, 2001 at 08:38:18AM -0300, Durval Menezes wrote:
> If it's really vulnerable, shouldn't it have at least dumped core?
Not necessarily. 4.0.99k on OpenBSD-2.8/i386 happily kept on chugging
when I poked it with this exploit (all three demo offset variants, btw),
and this is not any special magic "audited by OpenBSD" version of ntp or
anything like that. We know 4.0.99k is vulnerable, though.
--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/ "The reasonable
man adapts himself to the world; the unreasonable one persists in
trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
(6336445) /Erik Fichtner <techs@OBFUSCATION.ORG>/(Ombruten)
Bilaga (application/pgp-signature) i text 6336446
6336446 2001-04-06 22:36 -0400 /10 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Importerad: 2001-04-09 09:15 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16398>
Bilaga (text/plain) till text 6336445
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrOfSUACgkQDf8awdbGHo2lowCgykFWNzUdJQS/ripEmpzsVmZG
sgsAn2xUC7LiT53YwjrgT2BrEx7uxUF8
=3wsW
-----END PGP SIGNATURE-----
(6336446) /Erik Fichtner <techs@OBFUSCATION.ORG>/---
6336481 2001-04-06 16:55 -0400 /19 rader/ Chris Faulhaber <jedgar@FXP.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 09:24 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jedgar@FXP.ORG
Mottagare: Bugtraq (import) <16399>
Kommentar till text 6329325 av Phil Stracchino <alaric@BABCOM.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
On Fri, Apr 06, 2001 at 12:06:14AM -0700, Phil Stracchino wrote:
> On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> > There is only a patch for the NTP software from
> > http://phk.freebsd.dk/patch/ntpd.patch.
>
> I just tried applying this patch against ntp-4.0.99k, and it fails.
>
That would be because that patch is against ntp-4.0.99b (which is the
version in FreeBSD 4.x). See
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/net/ntp/files/patch-ntp_control.c
for a patch against ntp-4.0.99k.
--
Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
--------------------------------------------------------
FreeBSD: The Power To Serve - http://www.FreeBSD.org
(6336481) /Chris Faulhaber <jedgar@FXP.ORG>/(Ombruten)
Bilaga (application/pgp-signature) i text 6336482
6336482 2001-04-06 16:55 -0400 /10 rader/ Chris Faulhaber <jedgar@FXP.ORG>
Importerad: 2001-04-09 09:24 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jedgar@FXP.ORG
Mottagare: Bugtraq (import) <16400>
Bilaga (text/plain) till text 6336481
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: FreeBSD: The Power To Serve
iEYEARECAAYFAjrOLTgACgkQObaG4P6BelDhCACgpGjPuu5NdE7AZwPL3OUfLfIN
NPgAmwX6QcQ1mXxoB21EMRnDrbH7BMNH
=FdeB
-----END PGP SIGNATURE-----
(6336482) /Chris Faulhaber <jedgar@FXP.ORG>/--------
6336607 2001-04-06 22:43 -0400 /85 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 09:53 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16402>
Kommentar till text 6329325 av Phil Stracchino <alaric@BABCOM.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
On Fri, Apr 06, 2001 at 12:06:14AM -0700, Phil Stracchino wrote:
> On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> > There is only a patch for the NTP software from
> > http://phk.freebsd.dk/patch/ntpd.patch.
>
> I just tried applying this patch against ntp-4.0.99k, and it fails.
The patch does not *cleanly* apply, as the offsets in the file and the
formatting is completely different, but if you read the patch and the
source, you can apply it by hand fairly well.
However, to save time and frustration, this is a diff with very wide
context of the important peice as applied to 4.0.99k...
--- ntp-4.0.99k/ntpd/ntp_control.c Sat Jul 15 10:46:05 2000
+++ ntp-4.0.99k-emf-2001040501/ntpd/ntp_control.c Thu Apr 5 23:15:52
2001
@@ -1799,53 +1799,55 @@
while (!(v->flags & EOV)) {
if (!(v->flags & PADDING) && *cp == *(v->text)) {
tp = v->text;
while (*tp != '\0' && *tp != '=' && cp <
reqend && *cp == *tp) {
cp++;
tp++;
}
if ((*tp == '\0') || (*tp == '=')) {
while (cp < reqend && isspace((int)*cp))
cp++;
if (cp == reqend || *cp == ',') {
buf[0] = '\0';
*data = buf;
if (cp < reqend)
cp++;
reqpt = cp;
return v;
}
if (*cp == '=') {
cp++;
tp = buf;
while (cp < reqend &&
isspace((int)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ /* avoid buffer overflow */
+ if (tp > buf + sizeof(buf)) return(0);
+ }
if (cp < reqend)
cp++;
*tp = '\0';
while (isspace((int)(*(tp-1))))
*(--tp) = '\0';
reqpt = cp;
*data = buf;
return (v);
}
}
cp = reqpt;
}
v++;
}
return v;
}
/*
* control_unspec - response to an unspecified op-code
*/
/*ARGSUSED*/
static void
control_unspec(
struct recvbuf *rbufp,
--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/ "The reasonable
man adapts himself to the world; the unreasonable one persists in
trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
(6336607) /Erik Fichtner <techs@OBFUSCATION.ORG>/(Ombruten)
Bilaga (application/pgp-signature) i text 6336608
6336608 2001-04-06 22:43 -0400 /10 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Importerad: 2001-04-09 09:53 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16403>
Bilaga (text/plain) till text 6336607
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrOfuQACgkQDf8awdbGHo2zLACeOW9G1pNyzKnu6ZONYvoGMZN+
NoQAoL8GydpUwxBQdFaEfzcfguUZPa/8
=fDv3
-----END PGP SIGNATURE-----
(6336608) /Erik Fichtner <techs@OBFUSCATION.ORG>/---
6336795 2001-04-09 10:24 /4 rader/ Nixon (remontado)
Kommentar till text 6323277 av Ogle Ron (Rennes) <OgleR@THMULTI.COM>
Mottagare: Cracking erfarenhetsutbyte <11327>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
Den patchen finns med i ntp-4.0.99k23 som finns sedan helgen på
http://www.ntp.org/.
Människan hade ju kunnat nämna nåt om det i ChangeLog, men inte, då.
(6336795) /Nixon (remontado)/-----------------------
6336635 2001-04-07 11:18 -0400 /26 rader/ Viraj Alankar <valankar@IFXCORP.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 09:57 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: valankar@IFXCORP.COM
Mottagare: Bugtraq (import) <16404>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Viraj Alankar <valankar@IFXCORP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.GSO.4.31.0104071107020.18358-100000@home.ifxcorp.com>
On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
> /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
Attempting this on a Redhat 6.2 system with xntp3-5.93 did not seem
execute /tmp/sh or crash immediately but it did cause some corruption
in xntpd as can be seen below.
/usr/sbin/ntpq localhost ntpq> rl status=06f4 leap_none, sync_ntp, 15
events, event_peer/strat_chg
system="M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-k^_^M-^Iv^H1M-@M-^HF^GM-^IF^LM-0^KM-^IM-sM-^MN^HM-^MV^LM-MM-^@1M-[M-^IM-X@M-MM-^@M-hM-\M-^?M-^?M-^?/tmp/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PwM-wM-^?M-?wM-wM-^?M-?M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P,
leap=00, stratum=4, rootdelay=78.70, rootdispersion=98.05,
peer=12340, refid=my.ntp.server, reftime=be79abbf.f4677000 Sat, Apr
7 2001 11:07:43.954, poll=6, clock=be79abfe.47251000 Sat, Apr 7
2001 11:08:46.277, phase=0.317, freq=41029.82, error=0.12 ntpq>
Viraj.
(6336635) /Viraj Alankar <valankar@IFXCORP.COM>/(Ombruten)
6336642 2001-04-06 23:33 +0200 /46 rader/ Casper Dik <Casper.Dik@SUN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 09:58 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Casper.Dik@SUN.COM
Mottagare: Bugtraq (import) <16405>
Kommentar till text 6329319 av Alexander Gall <gall@SWITCH.CH>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Casper Dik <Casper.Dik@SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200104062133.XAA23167@romulus.Holland.Sun.COM>
>char shellcode[]=
>"\x90\x10\x20\x00" /* mov 0, %o0 */
>"\x82\x10\x20\x17" /* mov 23, %g1 */
>"\x91\xd0\x20\x08" /* ta 8 -> setuid(0) */
>"\x30\x80\x00\x07" /* ba,a bounce */
>"\x90\x03\xe0\x08" /* start: add %o7, 8, %o0 */
>"\x92\x03\xa0\x40" /* add %sp, 64, %o1 */
>"\xd0\x22\x40\x00" /* st %o0, [%o1] */
>"\xc0\x22\x60\x04" /* st %g0, [%o1+4] */
>"\x82\x10\x20\x0b" /* mov 11, %g1 */
>"\x91\xd0\x20\x08" /* ta 8 -> exec() */
>"\x7f\xff\xff\xfa" /* bounce: call start */
>"\x01\x00\x00\x00" /* nop */
>"/bin/touch /tmp/test";
>
>I don't know if you are aware of this, but simply replacing the shellcode in
>the exploit won't work because of the differing layout of a stack frame on
>SPARC.
I don't think it accept NUL bytes in shellcode.
>I have also verified that xntpd 3.4y crashes on Solaris 8 with SIGSEGV.
>However, when I looked at the core dump I had the impression that this is
>*not* due to a buffer overflow because I couldn't find any of the symptoms
>that I would expect in such a case (jump to never-never land because the
>overwritten return address on the stack is garbage, %l and %i registers
>filled with data from the buffer). I didn't look too hard though, so I may
>be wrong.
It's a static buffer overflow, not a stack buffer one, so don't
expect a corrupted stack as a direct result of this overflow.
I haven't looked at the layout of the executable so I don't
know what's after the particular static buffer.
We are working on a fix regardless of whether it is
exploitable or not.
Casper
(6336642) /Casper Dik <Casper.Dik@SUN.COM>/---------
6336717 2001-04-06 14:15 -0700 /66 rader/ Crist Clark <crist.clark@GLOBALSTAR.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 10:13 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: crist.clark@GLOBALSTAR.COM
Mottagare: Bugtraq (import) <16407>
Kommentar till text 6329452 av Durval Menezes <durval@TMP.COM.BR>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Crist Clark <crist.clark@GLOBALSTAR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3ACE31F2.FE41292C@globalstar.com>
Durval Menezes wrote:
>
> Hello,
>
> On Fri, Apr 06, 2001 at 12:24:53AM -0400, Erik Fichtner wrote:
> > On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> > > Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> > > Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> > > root shell was spawned, and the daemon stayed up. An "strace" of the running
> > > xntpd process confirmed this: no exec syscalls were attempted.
> >
> > [...]
> >
> > > Another vindication for those (like me) that don't like to run the
> > > "latest and greatest" versions of any code ....
> >
> > False hope, man.
> >
> > xntpd 3.5f [1] has the exact same ctl_getitem() that 4.0.99k has,
> > with the same char buf[128] that is poked at in the exact same way.
> > (line 1733 of xntpd/ntp_control.c)
> >
> > It's just a matter of fiddling with it until it's breakable on your
> > particular system.
>
> If it's really vulnerable, shouldn't it have at least dumped core?
[snip]
> But you are right, I should have checked. Will do it ASAP: compiling
> and running a "-g" version under GDB (or else inserting a few well-placed
> printf/syslog()'s) and exercising the attack should do it. My theory right
> now (without looking at the source code) is that the exploit has not worked
> because something else in the code (outside of ctl_getitem()) has prevented
> it.
I downloaded xntpd 3.5, built it on FreeBSD-STABLE, and gave it a
shot after you mentioned yours did not die. I got the same
results. It stays alive. I only looked at the xntpd debug output (not
a debugger like gdb), but it looked like the query was getting
truncated before the reply was formulated. The buffer overflow takes
place while formulating the reply. IIRC, the incoming query was
always reported to be 500 bytes in the debug output no matter how big
I actually made it.
Again, I got diverted to more important things before I could put it
in gdb and wrap my head around the source code to figure out what it
all meant. But it might be a place to start. Look for the incoming
query being truncated early on.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this e-mail in error, please contact
postmaster@globalstar.com
(6336717) /Crist Clark <crist.clark@GLOBALSTAR.COM>/(Ombruten)
6336796 2001-04-07 09:26 +0200 /21 rader/ Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 10:24 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: venglin@FREEBSD.LUBLIN.PL
Mottagare: Bugtraq (import) <16408>
Kommentar till text 6328704 av Stephen Clouse <stephenc@THEIQGROUP.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010407092643.Q856@riget.scene.pl>
On Thu, Apr 05, 2001 at 10:56:45PM -0500, Stephen Clouse wrote:
> Having no effect on ntp-4.0.99k compiled from official source on Slackware
> 7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
> mode didn't change).
As I said, exploiting this overflow isn't so easy -- offset and align
values vary from platform to platform. Exploit was tested only on
bare RedHat 7.0 and FreeBSD 4.2-STABLE compiled with -O6
-fomit-frame-pointer
-march=pentiumpro.
Did your ntpd segfaulted after running an exploit?
-- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL:
PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP:
D48684904685DF43EA93AFA13BE170BF *
(6336796) /Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>/(Ombruten)
6336855 2001-04-06 18:29 +0100 /31 rader/ Athanasius <Athanasius@MIGGY.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 10:33 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Athanasius@MIGGY.ORG
Mottagare: Bugtraq (import) <16409>
Kommentar till text 6323528 av Charles Sprickman <spork@INCH.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Athanasius <Athanasius@MIGGY.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010406182915.A18289@miggy.org>
On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
> On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
>
> > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
>
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply as a client, the following line in /etc/ntp.conf
> should keep people away:
>
> restrict default ignore
If you want ntpq to be useable to check the local ntp daemon you'll
want to add something like:
restrict 127.0.0.1
This, of course, assumes you have some other filtering restricting
loopback addresses to the loopback interface only.
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
(6336855) /Athanasius <Athanasius@MIGGY.ORG>/-------
6337008 2001-04-06 16:53 -0400 /21 rader/ William W. Arnold <warnold@VIPNET.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 10:53 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: warnold@VIPNET.ORG
Mottagare: Bugtraq (import) <16412>
Kommentar till text 6329325 av Phil Stracchino <alaric@BABCOM.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: "William W. Arnold" <warnold@VIPNET.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200104062053.QAA22577@kasumi.vipnet.org>
Phil Stracchino writes ---
>On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
>> There is only a patch for the NTP software from
>> http://phk.freebsd.dk/patch/ntpd.patch.
>
>I just tried applying this patch against ntp-4.0.99k, and it fails.
ntp-4.0.99k has had all it's longer lines wrapped. You can apply
the patch manually at line 1824 instead of 1649. (Or at least that
looks like the correct location)
--
-billy- warnold@vipnet.org
Senior Systems Administrator
Virginia Interactive
(6337008) /William W. Arnold <warnold@VIPNET.ORG>/--
6337231 2001-04-07 20:29 -0500 /54 rader/ Stephen Clouse <stephenc@THEIQGROUP.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 11:22 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: stephenc@THEIQGROUP.COM
Mottagare: Bugtraq (import) <16413>
Kommentar till text 6336796 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Stephen Clouse <stephenc@THEIQGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010407202911.A8759@owns.warpcore.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, Apr 07, 2001 at 09:26:43AM +0200, Przemyslaw Frasunek wrote:
> As I said, exploiting this overflow isn't so easy -- offset and align
> values vary from platform to platform. Exploit was tested only
> on bare RedHat 7.0 and FreeBSD 4.2-STABLE compiled with -O6 -fomit-frame-pointer
> -march=pentiumpro.
>
> Did your ntpd segfaulted after running an exploit?
Nope, it keeps running normally -- it's still in perfect sync with
our main time server.
I am now noticing that it definitely overflows *something*, though --
someone pointed out querying the local ntpd's status:
status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,
version="ntpd 4.0.99k Sun Apr 1 04:00:13 CDT 2001 (2)",
processor="i686",
system="M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-k^_^M-^Iv^H1M-@M-^HF^
GM-^IF^LM-0^KM-^IM-sM-^MN^HM-^MV^LM-MM-^@1M-[M-^IM-X@M-MM-^@M-hM-\M-^?M-^?M-^?/
tmp/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PwM-wM-^?M-?w
M-wM-^?M-?M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
- -^PM-^PM-^P,
leap=00, stratum=5, precision=-17, rootdelay=217.951,
rootdispersion=153.179, peer=21044, refid=fs1.theiqgroup.com,
reftime=be7a357a.7fa615a8 Sat, Apr 7 2001 19:55:22.498, poll=9,
clock=be7a364e.b7422467 Sat, Apr 7 2001 19:58:54.715, state=4,
phase=0.224, frequency=-4.567, jitter=0.042, stability=0.004
So the initial assessment is probably wrong. However, I wasted a
whole afternoon searching and cannot for the life of me find the
offset where this data ends up....
- --
Stephen Clouse <stephenc@theiqgroup.com>
Senior Programmer, IQ Coordinator Project Lead
The IQ Group, Inc. <http://www.theiqgroup.com/>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBOs++5gOGqGs0PadnEQJDCQCfWzZkX6q2RT5fl0OlmR9qL/uQ2+YAn1Cm
46oHzsFjpYgeDq3IME5Y3m1c
=6LdC
-----END PGP SIGNATURE-----
(6337231) /Stephen Clouse <stephenc@THEIQGROUP.COM>/(Ombruten)
6337556 2001-04-07 02:45 +0700 /82 rader/ Fyodor <fygrave@TIGERTEAM.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 12:17 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: fygrave@TIGERTEAM.NET
Mottagare: Bugtraq (import) <16416>
Kommentar till text 6323794 av Matt Collins <matt@CLUES.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Fyodor <fygrave@TIGERTEAM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010407024502.R413@tigerteam.net>
On Thu, Apr 05, 2001 at 03:30:42PM +0100, Matt Collins wrote:
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
> >
> > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> > the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
> >
> > More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> > caused it to seg. fault and core. No time to double-check if that is actually
> > exploitable at this moment. How many NTP distributions are based off of the
> > vulnerable code? With the small payload, gaining access might be hard, but
> > the potential for DoS looks pretty easy.
>
> We've taken a peek at getting sparc shellcode working with this. Getting
> it in below the 70 byte buffer size is tricky.
>
> Does anybody out there have working shellcode for this that can do *anything*
> to the state of the system even if it doesnt lead to full sploit? (beyond
> making ntp core of course ;) )
>
Yep. I am still testing the piece with modified (former) 11 byte x86
shellcode from S. Krahmer. By executing /bin/sh -c <stuff> you could
do quite a bit of things there. :))
And an additional notice (didn't see that it was mentioned on the
list yet), It looks like at least Solaris 2.7/sparc xntpd daemon is
vulnerable as well, a quick test shows:
# uname -a
SunOS sunbox 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
..
#/usr/lib/inet/xntpd
...
# tail /var/adm/messages
Apr 6 12:18:18 sunbox xntpd[28711]: xntpd version=3.4y (beta multicast); Fri Aug 23 19:54:40 PDT 1996 (2)
Apr 6 12:18:18 sunbox xntpd[28711]: tickadj = 625, tick = 10000, tvu_maxslew = 61875
..
# gdb /usr/lib/inetd/xntpd `ps -ef | grep xntpd | grep -v grep | awk '{ print $2}'`
GNU gdb 4.18
..
Symbols already loaded for /usr/lib/libmp.so.2
Symbols already loaded for /usr/lib/libaio.so.1
Symbols already loaded for /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
0xff21758c in _sigsuspend () from /usr/lib/libc.so.1
(gdb)cont
Continuing.
Program received signal SIGBUS, Bus error.
0x1df6c in ?? ()
(gdb) info reg
g0 0x0 0
g1 0x65000 413696
..
l0 0xff237ee8 -14450968
l1 0x41414145 1094795589
l2 0x0 0
...
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x7 7
i3 0x56b84 355204
i4 0xc 12
i5 0x41414141 1094795585
fp 0xffbefc70 -4260752
i7 0x19244 102980
...
blah..
Looks like that with a bit of tuning we could sploit it here as
well..
-Fyodor
(6337556) /Fyodor <fygrave@TIGERTEAM.NET>/(Ombruten)
6340823 2001-04-09 09:31 -0600 /28 rader/ William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 20:34 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wcolburn@NMT.EDU
Mottagare: Bugtraq (import) <16420>
Ärende: ntp-4.99k23.tar.gz is available
------------------------------------------------------------
From: "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010409093145.A31146@nmt.edu>
I haven't seen an announcement anywhere, but I noticed it on the FTP
server this morning. It is dated Friday evening.
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
I tried it out with the exploit posted by "babcia padlina
ltd. <venglin@freebsd.lublin.pl>" and it seems to be safe. I never
had a machine that the exploit worked against, but my ntp servers
would exit with a segfault when it was run against them. The new
server does not exit.
I am sending a copy of this message to Dr. Mills, in the hopes that
he can confim for us that k23 is a final, fixed, version for this
exploit.
Also, someone on the ntp newsgroup this weekend said that the FreeBSD
patch prevented the overflow, but still corrupted data because of an
off by one error.
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
(6340823) /William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>/(Ombruten)
6341779 2001-04-09 15:38 +0100 /38 rader/ David L. Mills <mills@UDEL.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 23:50 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mills@UDEL.EDU
Mottagare: Bugtraq (import) <16426>
Kommentar till text 6340823 av William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Ärende: Re: ntp-4.99k23.tar.gz is available
------------------------------------------------------------
From: "David L. Mills" <mills@UDEL.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AD1C975.6B4A21A7@udel.edu>
William,
The tarball was a panic release including the security fix, but has
not been thoroughly reviewed by our QA team. That's why the wierd
version number. Expect a new release in a couple of days.
Dave
"William D. Colburn (aka Schlake)" wrote:
>
> I haven't seen an announcement anywhere, but I noticed it on the FTP
> server this morning. It is dated Friday evening.
>
> ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
>
> I tried it out with the exploit posted by "babcia padlina
> ltd. <venglin@freebsd.lublin.pl>" and it seems to be safe. I never had
> a machine that the exploit worked against, but my ntp servers would exit
> with a segfault when it was run against them. The new server does not
> exit.
>
> I am sending a copy of this message to Dr. Mills, in the hopes that he can
> confim for us that k23 is a final, fixed, version for this exploit.
>
> Also, someone on the ntp newsgroup this weekend said that the FreeBSD
> patch prevented the overflow, but still corrupted data because of an off
> by one error.
>
> --
> William Colburn, "Sysprog" <wcolburn@nmt.edu>
> Computer Center, New Mexico Institute of Mining and Technology
> http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
(6341779) /David L. Mills <mills@UDEL.EDU>/(Ombruten)
6342072 2001-04-09 13:54 +0200 /21 rader/ Maciej W. Rozycki <macro@DS2.PG.GDA.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-10 03:51 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: macro@DS2.PG.GDA.PL
Mottagare: Bugtraq (import) <16433>
Kommentar till text 6336607 av Erik Fichtner <techs@OBFUSCATION.ORG>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: "Maciej W. Rozycki" <macro@DS2.PG.GDA.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.GSO.3.96.1010409131846.9470D-100000@delta.ds2.pg.gda.pl>
On Fri, 6 Apr 2001, Erik Fichtner wrote:
> + /* avoid buffer overflow */
> + if (tp > buf + sizeof(buf)) return(0);
> + }
There is an off-by-one error here. The above conditional should
read as follows:
if (tp >= buf + sizeof(buf)) return(0);
--
+ Maciej W. Rozycki, Technical University of Gdansk, Poland +
+--------------------------------------------------------------+
+ e-mail: macro@ds2.pg.gda.pl, PGP key available +
(6342072) /Maciej W. Rozycki <macro@DS2.PG.GDA.PL>/(Ombruten)
6348421 2001-04-10 11:52 -0700 /28 rader/ Crist Clark <crist.clark@GLOBALSTAR.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-11 08:56 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: crist.clark@GLOBALSTAR.COM
Mottagare: Bugtraq (import) <16460>
Kommentar till text 6346247 av Chiaki Ishikawa <Chiaki.Ishikawa@PERSONAL-MEDIA.CO.JP>
Ärende: Re: ntp-4.99k23.tar.gz is available
------------------------------------------------------------
From: Crist Clark <crist.clark@GLOBALSTAR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AD35654.21D61A37@globalstar.com>
Chiaki Ishikawa wrote:
>
> Has anyone tested the exploit against embedded ntp implementations
> such as in Cisco router, for example, to see
> if the daemon would misbehave, etc.?
Cisco has said they are aware of the advisories and investigating the
issue. That's all I know. I do not have a convenient sacrificial Cisco
box at the moment... but I probabaly should go set one up for this
and other games.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this e-mail in error, please contact
postmaster@globalstar.com
(6348421) /Crist Clark <crist.clark@GLOBALSTAR.COM>/(Ombruten)
6348438 2001-04-10 11:49 -0400 /26 rader/ stanislav shalunov <shalunov@INTERNET2.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-11 09:00 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: shalunov@INTERNET2.EDU
Mottagare: Bugtraq (import) <16461>
Kommentar till text 6346247 av Chiaki Ishikawa <Chiaki.Ishikawa@PERSONAL-MEDIA.CO.JP>
Ärende: Re: ntp-4.99k23.tar.gz is available
------------------------------------------------------------
From: stanislav shalunov <shalunov@INTERNET2.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <87bsq469h3.fsf@cain.internet2.edu>
Chiaki Ishikawa <Chiaki.Ishikawa@PERSONAL-MEDIA.CO.JP> writes:
> Has anyone tested the exploit against embedded ntp implementations
> such as in Cisco router, for example, to see if the daemon would
> misbehave, etc.?
I couldn't do anything to the NTP implementation of a Cisco router
here with the stock "ntpdx" exploit as it was posted. (It doesn't
crash, it doesn't exhibit same heap corruption as xntpd v3.)
Which, of course, doesn't mean IOS isn't vulnerable.
Crafting an exploit that would do something useful (as opposed to make
the router stop serving time) would be quite difficult though without
IOS internals knowledge, so there's some consolation here.
--
Stanislav Shalunov http://www.internet2.edu/~shalunov/
Sex is the mathematics urge sublimated. -- M. C. Reed.
(6348438) /stanislav shalunov <shalunov@INTERNET2.EDU>/
6353327 2001-04-11 11:47 -0400 /25 rader/ Dick St.Peters <stpeters@NETHEAVEN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-11 22:21 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: stpeters@NETHEAVEN.COM
Mottagare: Bugtraq (import) <16480>
Kommentar till text 6348421 av Crist Clark <crist.clark@GLOBALSTAR.COM>
Ärende: Re: ntp-4.99k23.tar.gz is available
------------------------------------------------------------
From: "Dick St.Peters" <stpeters@NETHEAVEN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <15060.31860.735648.792307@saint.heaven.net>
> > Has anyone tested the exploit against embedded ntp implementations
> > such as in Cisco router, for example, to see
> > if the daemon would misbehave, etc.?
>
> Cisco has said they are aware of the advisories and investigating the
> issue. That's all I know. I do not have a convenient sacrificial Cisco
> box at the moment... but I probabaly should go set one up for this
> and other games.
I tried the exploit against a cisco 2614/IOS 10.3 and a cisco 3640/IOS
12.0 when the exploit first came out, and there was no evidence of any
effect.
Since April 7 I've been running ntpd/4.99k23 on an assortment of Linux
systems and on a pair of antique Sparc 2's running SunOS 4.1.3. All
seem happy, are keeping good time, and are unaffected by the exploit.
--
Dick St.Peters, stpeters@NetHeaven.com
(6353327) /Dick St.Peters <stpeters@NETHEAVEN.COM>/-
6353733 2001-04-11 03:28 -0600 /50 rader/ Chuck D. Phillips <cdp@PEAKPEAK.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-11 22:52 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: cdp@PEAKPEAK.COM
Mottagare: Bugtraq (import) <16481>
Ärende: Re: ntp-4.99k23.tar.gz is available
------------------------------------------------------------
From: "Chuck D. Phillips" <cdp@PEAKPEAK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <15060.9155.127504.428633@localhost.localdomain>
William D. Colburn (aka Schlake) writes:
> I haven't seen an announcement anywhere, but I noticed it on the FTP
> server this morning. It is dated Friday evening.
>
> ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
>
> I tried it out with the exploit posted by "babcia padlina
> ltd. <venglin@freebsd.lublin.pl>" and it seems to be safe. I never had
> a machine that the exploit worked against, but my ntp servers would exit
> with a segfault when it was run against them. The new server does not
> exit.
FWIW, I downloaded Redhat's patched source RPM and compared the
against ntp-4.0.99k23. While this *particular* exploit appears to be
fixed, there are some other buffer overflows that are not fixed by
k23 that are fixed in the Redhat patches, in particular the use of
vsnprintf instead of vsprintf. Then again, the Redhat version may
not catch all of these, either. I didn't think to check at the time.
ftp://updates.redhat.com/7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm
...or just grep the k23 source for vsprintf. Once you think to look,
the fixes are pretty obvious.
################################################################
# find ntp-4.0.99k23 -name \*.c | xargs grep vsprintf
./libntp/snprintf.c: rp = vsprintf(str, fmt, ap);
./libntp/snprintf.c: rval = vsprintf(str, fmt, ap);
./libntp/snprintf.c: return (strlen(vsprintf(str, fmt, ap)));
./libntp/snprintf.c: return (vsprintf(str, fmt, ap));
./libntp/msyslog.c: vsprintf(buf, nfmt, ap);
./ntpd/refclock_mx4200.c: (void)vsprintf(cp, fmt, ap);
./ntpdate/ntpdate.c:vsprintf(
./ntpdate/ntptimeset.c:int vsprintf P((char *str, const char *fmt, va_list ap));
./ntpdate/ntptimeset.c:vsprintf(
./ntptrace/ntptrace.c:vsprintf(
################################################################
FWIW, the Redhat version also syslog()s attempts to use the published
exploit. Hmmm. Perhaps a DoS is next for the "fixed" version.
:-) / 2
Hope this helps,
Chuck
(6353733) /Chuck D. Phillips <cdp@PEAKPEAK.COM>/(Ombruten)