Re: ntpd =< 4.0.99k remote buffer overflow

[Fyodor]

On Thu, Apr 05, 2001 at 03:30:42PM +0100, Matt Collins wrote:
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
> >
> > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> > the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
> >
> > More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> > caused it to seg. fault and core. No time to double-check if that is actually
> > exploitable at this moment. How many NTP distributions are based off of the
> > vulnerable code? With the small payload, gaining access might be hard, but
> > the potential for DoS looks pretty easy.
>
> We've taken a peek at getting sparc shellcode working with this. Getting
> it in below the 70 byte buffer size is tricky.
>
> Does anybody out there have working shellcode for this that can do *anything*
> to the state of the system even if it doesnt lead to full sploit? (beyond
> making ntp core of course ;) )
>


Yep. I am still testing the piece with modified (former) 11 byte x86 shellcode
from S. Krahmer. By executing /bin/sh -c <stuff> you could do quite a bit of
things there. :))

And an additional notice (didn't see that it was mentioned on the list yet), It
looks like at least Solaris 2.7/sparc xntpd daemon is vulnerable as well, a
quick test shows:

# uname -a
SunOS sunbox 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
..
#/usr/lib/inet/xntpd
...
# tail /var/adm/messages
Apr  6 12:18:18 sunbox xntpd[28711]: xntpd version=3.4y (beta multicast); Fri Aug 23 
19:54:40 PDT 1996 (2)
Apr  6 12:18:18 sunbox xntpd[28711]: tickadj = 625, tick = 10000, tvu_maxslew = 61875
..
# gdb /usr/lib/inetd/xntpd `ps -ef | grep xntpd | grep -v grep | awk '{ print $2}'`
GNU gdb 4.18
..
Symbols already loaded for /usr/lib/libmp.so.2
Symbols already loaded for /usr/lib/libaio.so.1
Symbols already loaded for /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
0xff21758c in _sigsuspend () from /usr/lib/libc.so.1
(gdb)cont
Continuing.

Program received signal SIGBUS, Bus error.
0x1df6c in ?? ()
(gdb) info reg
g0             0x0      0
g1             0x65000  413696
..
l0             0xff237ee8       -14450968
l1             0x41414145       1094795589
l2             0x0      0
...
i0             0x41414141       1094795585
i1             0x41414141       1094795585
i2             0x7      7
i3             0x56b84  355204
i4             0xc      12
i5             0x41414141       1094795585
fp             0xffbefc70       -4260752
i7             0x19244  102980
...

blah..

Looks like that with a bit of tuning we could  sploit it here as well..

-Fyodor