On Thu, 05 Apr 2001 08:52:43 -0300, Durval Menezes <[EMAIL PROTECTED]> said:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the running
> xntpd process confirmed this: no exec syscalls were attempted.
>
> Same think on SPARC Solaris 2.5.1 also running xntpd 3.5f: no shell, and
> the xntpd daemon stayed up with no exec syscalls showing on "truss".
>
> Another vindication for those (like me) that don't like to run the
> "latest and greatest" versions of any code (I only upgrade my machines
> when forced to, either because of security bugs, or because of desperately
> needed new functionality, and even then only after running it for awhile
> on a test system INSIDE my firewall, and preferably doing an audit on the
> code myself).
That doesn't prove you're not vulnerable. It proves the proof-of-concept code
doesn't work against that release.
As Dykstra pointed out decades ago:
"Testing can prove the presence of bugs, but not their absence."
Until somebody shows that the bug was in code introduced at level 4.mumble
or something, I'm going to have to assume that the bug has been in there
ever since the NTPv1 distribution, especially since it causes a segfault
on the Irix ntp 3.5.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
