Ntpd Remote Buffer Overflow Vulnerability BugTraq ID: 2540 Remote: Yes Date Published: 2001-04-04 Relevant URL: http://www.securityfocus.com/bid/2540 Summary: NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. For unix systems, a daemon is available which can regularly synchronize system time with internet time servers using NTP called ntpd. Ntpd contains a buffer overflow vulnerability that can be exploited remotely and almost anonymously. During operation, ntpd maintains a UDP socket bound to a known port for polling time servers and recieving replies. When a datagram is recieved by the daemon, a number of parsing operations are performed on the data to extract information. One of these operations involves parsing a comma separated field: while (cp < reqend && *cp != ',') *tp++ = *cp++; 'tp' is a pointer to a local variable within this function, and 'cp' points to data from a datagram the daemon has recieved. This code is a loop that copies information from the datagram-supplied data to a local variable (allocated on the stack). This section of code can result in a stack overflow because the only way that this copy can stop is if the packet data is completely copied, or if a comma is found in the data. The loop does not stop copying data to the stack if the length of the externally-supplied data exceeds the size of the local variable that 'tp' points to. Therefore, if that particular field in the datagram is oversized, memory neighboring the local variable that 'tp' points to can be overwritten with the excess data. At the very least, an attacker can exploit this vulnerability to corrupt the stack frame and crash the daemon. It is also possible on some systems for an attacker to execute arbitrary code on the host running ntpd. This would be accomplished in a standard buffer overflow manner, by overwriting the return address in the stack frame with a value pointing to supplied shellcode. Because ntpd sets system time, it often runs with root privileges. Any attacker who successfully exploits this vulnerability to execute arbitrary code would obtain complete control over the victim host. Furthermore, UDP is a connectionless protocol. This means that attackers can exploit this vulnerability easily using spoofed source IP addresses. It would be difficult to trace such an attack. - Pour poster une annonce: [EMAIL PROTECTED]
