[20042] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Tomasz Grabowski)
Thu Apr 5 23:08:24 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10104051358390.8483-100000@apollo.aci.com.pl>
Date: Thu, 5 Apr 2001 14:08:42 +0200
Reply-To: Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
From: Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3ACBCF0D.847AECA4@globalstar.com>
On Wed, 4 Apr 2001, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is actually
> exploitable at this moment. How many NTP distributions are based off of the
> vulnerable code? With the small payload, gaining access might be hard, but
> the potential for DoS looks pretty easy.
On IRIX 6.5.11 it also seg faults.
ntpq
ntpq> version
ntpq 3-5.93e Thu Dec 10 10:49:39 PST 1998 (1)
ntpq> quit
It's rather old isn't it?
It's the default IRIX 6.5.11 installation.
