Przemyslaw Frasunek wrote:
>
> /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
caused it to seg. fault and core. No time to double-check if that is actually
exploitable at this moment. How many NTP distributions are based off of the
vulnerable code? With the small payload, gaining access might be hard, but
the potential for DoS looks pretty easy.
Playing with 'restrict' statements in the ntp.conf will prevent the
attacks (I tried, looks like it works), but with UDP NTP so trivial to
spoof, that only will get you so far. But can I assume that properly
using authorization keys will protect you from this attack (assuming
whoever else has the keys is trusted) in a similar way? My guess is
that it should, but I have not had the chance to double check the
protocol or actually run the test on that one.
But this really troubling when trying to use a public NTP server.
--
Crist J. Clark Network Security Engineer
[EMAIL PROTECTED] Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact [EMAIL PROTECTED]
