Hello,
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is actually
> exploitable at this moment. How many NTP distributions are based off of the
> vulnerable code? With the small payload, gaining access might be hard, but
> the potential for DoS looks pretty easy.
Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
root shell was spawned, and the daemon stayed up. An "strace" of the running
xntpd process confirmed this: no exec syscalls were attempted.
Same think on SPARC Solaris 2.5.1 also running xntpd 3.5f: no shell, and
the xntpd daemon stayed up with no exec syscalls showing on "truss".
Another vindication for those (like me) that don't like to run the
"latest and greatest" versions of any code (I only upgrade my machines
when forced to, either because of security bugs, or because of desperately
needed new functionality, and even then only after running it for awhile
on a test system INSIDE my firewall, and preferably doing an audit on the
code myself).
Best regards,
--
Durval Menezes (durval AT tmp DOT com DOT br, http://www.tmp.com.br/)
