Date: Thu, 05 Apr 2001 13:14:23 +1000 From: Mark.Andrews@nominum.com To: "Crist Clark" <crist.clark@globalstar.com> Cc: David La Croix <dlacroix@cowpie.acm.vt.edu>, Michael Bryan <fbsd-secure@ursine.com>, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Message-ID: <200104050314.f353ENT37642@drugs.dv.isc.org> In-Reply-To: Your message of "Wed, 04 Apr 2001 19:09:03 MST." <3ACBD3BF.52BF23E6@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The following stomps this particular overflow. Mark Index: contrib/ntp/ntpd/ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2 diff -u -r1.1.1.2 ntp_control.c --- contrib/ntp/ntpd/ntp_control.c 2000/01/28 14:53:03 1.1.1.2 +++ contrib/ntp/ntpd/ntp_control.c 2001/04/05 03:07:25 @@ -1650,11 +1650,15 @@ while (cp < reqend && isspace((int)*cp)) cp++; while (cp < reqend && *cp != ',') + if (tp - buf < sizeof(buf) - 1) *tp++ = *cp++; + else + cp++; if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((int)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; > David La Croix wrote: > > > > > > > > > > > Heads up. This just came across BugTraq, will likely affect FreeBSD. > > > As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > > > > > > > > > Haven't seen anybody mention this yet.... (and I hate to admit to > > still using 3.x) I have a production box which I haven't upgraded yet... > > > > Is the version of xntpd in 3.x-STABLE (xntpdc version=3.4e) > > succeptable to this, or any other, known buffer overflows? > > Test it. If you compile the code and shoot, it will crash the daemon > even if the exploit is not successful. But that tells you the potential > is there. > > I took that FreeBSD and Linux exploit and aimed it at Sparc box running > xntpd 3.4y and *CRASH*. The xntpd cored and died. The buffer overrun > looks like it goes back at least that far. It should not be too hard > to track it to the source. But I am too busy trying to assess how to > handle all the machines I _know_ are vulnerable to do that. > > The idea that something like the NTP built in to Cisco's IOS might be > based off of vulnerable [x]ntpd code frankly scares the beejeezus out > of me. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104050314.f353ENT37642>