[20067] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Erik Fichtner)
Fri Apr 6 15:48:12 2001
Mail-Followup-To: "Ogle Ron (Rennes)" <OgleR@THMULTI.COM>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="XCAZszJJXrQJLz3d"
Content-Disposition: inline
Message-ID: <20010405223344.S1715@obfuscation.org>
Date: Thu, 5 Apr 2001 22:33:44 -0400
Reply-To: techs@obfuscation.org
From: Erik Fichtner <techs@obfuscation.org>
X-To: "Ogle Ron (Rennes)" <OgleR@THMULTI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <05B4910E0216D411B14F00508B6A67A901213F7E@RENEXCH5.rennes.thmulti.com>; from OgleR@THMULTI.COM on Thu,
Apr 05, 2001 at 11:38:47AM +0200
--XCAZszJJXrQJLz3d
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> Until that time, we are blocking NTP access from the Internet (for those =
of
> us who use Internet stratum 1 servers) for the NTP protocol. =20
> I suggest that other people in the same situation do the same until a pro=
per
> fix is made.
Unfortunately, the exploit makes a really handy local exploit for a user
who can already get a binary onto the system. Since the ntp server
will crash in its death throes, one can't really use it to fire a whole
sequence of commands into the system, but it's pretty easy to use it for
local privlege elevation. Good luck with firewalling that. ;)
Thanks for the link to a patch, though. It's worth looking at to see if it
really solves the problem or not.=20
Also, has anyone tested this exploit against ntp implementations on routers
and such? Some of us have to wait for a "maintenence window" before we
can potentially hork up a router.=20
--=20
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
--XCAZszJJXrQJLz3d
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrNKwcACgkQDf8awdbGHo2GGwCfXHGJdBeS2XXmGejemZxjr1rY
Es8AoI94FJCWqG/xootusmnUejxuL/xH
=pxUf
-----END PGP SIGNATURE-----
--XCAZszJJXrQJLz3d--
