Re: ntpd =< 4.0.99k remote buffer overflow

[Viraj Alankar]

On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:

> /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */

Attempting this on a Redhat 6.2 system with xntp3-5.93 did not seem
execute /tmp/sh or crash immediately but it did cause some corruption in
xntpd as can be seen below.

/usr/sbin/ntpq localhost
ntpq> rl
status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg
system="M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-k^_^M-^Iv^H1M-@M-^HF^GM-^IF^LM-0^KM-^IM-sM-^MN^HM-^MV^LM-MM-^@1M-[M-^IM-X@M-MM-^@M-hM-\M-^?M-^?M-^?/tmp/shM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PwM-wM-^?M-?wM-wM-^?M-?M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P,
leap=00, stratum=4, rootdelay=78.70, rootdispersion=98.05, peer=12340,
refid=my.ntp.server,
reftime=be79abbf.f4677000  Sat, Apr  7 2001 11:07:43.954, poll=6,
clock=be79abfe.47251000  Sat, Apr  7 2001 11:08:46.277, phase=0.317,
freq=41029.82, error=0.12
ntpq>

Viraj.