On Fri, 6 Apr 2001, Erik Fichtner wrote:
> + /* avoid buffer overflow */
> + if (tp > buf + sizeof(buf))
>return(0);
> + }
There is an off-by-one error here. The a
On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
> On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
>
> > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
>
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply
On Thu, Apr 05, 2001 at 03:30:42PM +0100, Matt Collins wrote:
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
> >
> > Not good. Not good. Verified the exploit worked o
Phil Stracchino writes ---
>On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
>> There is only a patch for the NTP software from
>> http://phk.freebsd.dk/patch/ntpd.patch.
>
>I just tried applying this patch against ntp-4.0.99k, and it fails.
ntp-4.0.99k has had all it's longer l
On Thu, Apr 05, 2001 at 10:56:45PM -0500, Stephen Clouse wrote:
> Having no effect on ntp-4.0.99k compiled from official source on Slackware
> 7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
> mode didn't change).
As I said, exploiting this overflow isn't so easy -- o
On Fri, Apr 06, 2001 at 08:38:18AM -0300, Durval Menezes wrote:
> If it's really vulnerable, shouldn't it have at least dumped core?
Not necessarily. 4.0.99k on OpenBSD-2.8/i386 happily kept on chugging
when I poked it with this exploit (all three demo offset variants, btw),
and this is not an
the "special" ip address of
127.127.1.0 if you use fallback to the local clock.
Gary
> -Original Message-
> From: Jan Kluka [mailto:[EMAIL PROTECTED]]
> Sent: Friday, April 06, 2001 7:58 AM
> To: [EMAIL PROTECTED]
> Subject: Re: ntpd =< 4.0.99k remote buffe
On Fri, Apr 06, 2001 at 12:06:14AM -0700, Phil Stracchino wrote:
> On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> > There is only a patch for the NTP software from
> > http://phk.freebsd.dk/patch/ntpd.patch.
>
> I just tried applying this patch against ntp-4.0.99k, and it fa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Apr 07, 2001 at 09:26:43AM +0200, Przemyslaw Frasunek wrote:
> As I said, exploiting this overflow isn't so easy -- offset and align
> values vary from platform to platform. Exploit was tested only
> on bare RedHat 7.0 and FreeBSD 4.2-STABLE c
On Fri, Apr 06, 2001 at 12:06:14AM -0700, Phil Stracchino wrote:
> On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> > There is only a patch for the NTP software from
> > http://phk.freebsd.dk/patch/ntpd.patch.
>
> I just tried applying this patch against ntp-4.0.99k, and it fa
On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
> /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
Attempting this on a Redhat 6.2 system with xntp3-5.93 did not seem
execute /tmp/sh or crash immediately but it did cause some corruption in
xntpd as can be seen below.
/usr
>char shellcode[]=
>"\x90\x10\x20\x00" /* mov 0, %o0 */
>"\x82\x10\x20\x17" /* mov 23, %g1 */
>"\x91\xd0\x20\x08" /* ta 8 -> setuid(0) */
>"\x30\x80\x00\x07" /* ba,a bounce */
>"\x90\x03\xe0\x08" /* start:add %o
Durval Menezes wrote:
>
> Hello,
>
> On Fri, Apr 06, 2001 at 12:24:53AM -0400, Erik Fichtner wrote:
> > On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> > > Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> > > Linux 3.0.3 w/ kernel 2.0.36, and the exp
Stephen Clouse writes:
> Having no effect on ntp-4.0.99k compiled from official source on Slackware
> 7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
> mode didn't change).
Run "ntpq -c rv hostname" and you'll see it does have an effect, just
not a fatal one.
$ ntpq
You can stop the exploit/DOS with restrictions in the "ntp.conf" file,
while continuing to receive or serve time. You must stop NTP demon
configuration and statistics queries. See the ntpd access control man page:
http://www.eecis.udel.edu/~ntp/ntp_spool/html/accopt.htm
Also, quoting from the
Charles Sprickman wrote:
>
> On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
>
> > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
>
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply as a client, the following line in /etc
Hello,
On Fri, Apr 06, 2001 at 12:24:53AM -0400, Erik Fichtner wrote:
> On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> > Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> > Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> >
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
> >
> > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> > the stock 4.0.99b. FreeBSD has a
Tomasz Grabowski wrote:
> On IRIX 6.5.11 it also seg faults.
>
> ntpq
> ntpq> version
> ntpq 3-5.93e Thu Dec 10 10:49:39 PST 1998 (1)
> ntpq> quit
>
> It's rather old isn't it?
> It's the default IRIX 6.5.11 installation.
Exploit doesn't work with same version of xntpd [3-5.93e Fri Feb 18
18:55:
On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> Until that time, we are blocking NTP access from the Internet (for those of
> us who use Internet stratum 1 servers) for the NTP protocol.
> I suggest that other people in the same situation do the same until a proper
> fix is
On Thu, 05 Apr 2001 08:52:43 -0300, Durval Menezes <[EMAIL PROTECTED]> said:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of
On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the running
>
I sent them a short mail asking if they know, and got back a short mail
saying lots and lots had reported it.
On Wed, Apr 04, 2001 at 02:38:13PM -0700, Gary E. Miller wrote:
> Yo All!
>
> ftp.udel.edu lists ntp 4.0.99k as the newest available.
>
> Any patches yet?
>
> Have the maintainers been no
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Having no effect on ntp-4.0.99k compiled from official source on Slackware
7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
mode didn't change).
- --
Stephen Clouse <[EMAIL PROTECTED]>
Senior Programmer, IQ Coordinator Pro
On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
...
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply as a client, the following line in /etc/ntp.conf
> should keep people away:
>
> restrict default ignore
>
> Before adding thi
Hello...
In this message I was replying to a co-worker, but others might benefit.
you wrote:
> I use the following code snippet in my /etc/rc.d/rc.firewall code
which runs
> whenever I start my machine:
>
> #
> # NTP from SPECIFIC SERVERS. Make sure to re-run /etc/rc.d/rc.firewall
Both exploits crash 4.0.99b on FreeBSD 4.2-STABLE; the first dies with SIGBUS,
the second with SIGILL.
Klaus
If memory serves me right, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]
> l> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
On Wed, 4 Apr 2001, Crist Clark wrote:
> Playing with 'restrict' statements in the ntp.conf will prevent the
> attacks (I tried, looks like it works), but with UDP NTP so trivial to
> spoof, that only will get you so far. But can I assume that properly
> using authorization keys will protect you
On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURREN
On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
> /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
Just a quick note to save others a bit of legwork... If you are running
ntpd on a machine simply as a client, the following line in /etc/ntp.conf
should keep people away:
r
Hello,
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is ac
On Wed, 4 Apr 2001, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More s
My .02
Ron Ogle
-Original Message-
From: Przemyslaw Frasunek [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 04, 2001 10:27 PM
To: [EMAIL PROTECTED]
Subject: ntpd =< 4.0.99k remote buffer overflow
/* ntpd remote root exploit / babcia padlina ltd.
<[EMAIL PROTECTED]> */
Yo All!
ftp.udel.edu lists ntp 4.0.99k as the newest available.
Any patches yet?
Have the maintainers been notified?
RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]
Przemyslaw Frasunek wrote:
>
> /* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
More sobering, blindly aiming the exploit code at a Sparc ru
/* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is
37 matches
Mail list logo
