From owner-freebsd-security  Wed Apr  4 19: 9: 9 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id 1190A37B443
	for <freebsd-security@FreeBSD.ORG>; Wed,  4 Apr 2001 19:09:07 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GBARAN00.D93; Wed, 4 Apr 2001 19:08:47 -0700 
Message-ID: <3ACBD3BF.52BF23E6@globalstar.com>
Date: Wed, 04 Apr 2001 19:09:03 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: David La Croix <dlacroix@cowpie.acm.vt.edu>
Cc: Michael Bryan <fbsd-secure@ursine.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow
References: <200104050156.f351uiq20419@cowpie.acm.vt.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

David La Croix wrote:
> 
> >
> >
> > Heads up.  This just came across BugTraq, will likely affect FreeBSD.
> > As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b.
> >
> >
> 
> Haven't seen anybody mention this yet....   (and I hate to admit to
> still using 3.x)    I have a production box which I haven't upgraded yet...
> 
> Is the version of xntpd in 3.x-STABLE (xntpdc version=3.4e)
> succeptable to this, or any other, known buffer overflows?

Test it. If you compile the code and shoot, it will crash the daemon
even if the exploit is not successful. But that tells you the potential
is there.

I took that FreeBSD and Linux exploit and aimed it at Sparc box running
xntpd 3.4y and *CRASH*. The xntpd cored and died. The buffer overrun
looks like it goes back at least that far. It should not be too hard
to track it to the source. But I am too busy trying to assess how to 
handle all the machines I _know_ are vulnerable to do that.

The idea that something like the NTP built in to Cisco's IOS might be 
based off of vulnerable [x]ntpd code frankly scares the beejeezus out 
of me.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message