From owner-freebsd-security Wed Apr 4 20:15:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 0BF6137B423 for ; Wed, 4 Apr 2001 20:15:29 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f353ENT37642; Thu, 5 Apr 2001 13:14:24 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104050314.f353ENT37642@drugs.dv.isc.org> To: "Crist Clark" Cc: David La Croix , Michael Bryan , freebsd-security@FreeBSD.ORG From: Mark.Andrews@nominum.com Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow In-reply-to: Your message of "Wed, 04 Apr 2001 19:09:03 MST." <3ACBD3BF.52BF23E6@globalstar.com> Date: Thu, 05 Apr 2001 13:14:23 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following stomps this particular overflow. Mark Index: contrib/ntp/ntpd/ntp_control.c =================================================================== RCS file: /home/ncvs/src/contrib/ntp/ntpd/ntp_control.c,v retrieving revision 1.1.1.2 diff -u -r1.1.1.2 ntp_control.c --- contrib/ntp/ntpd/ntp_control.c 2000/01/28 14:53:03 1.1.1.2 +++ contrib/ntp/ntpd/ntp_control.c 2001/04/05 03:07:25 @@ -1650,11 +1650,15 @@ while (cp < reqend && isspace((int)*cp)) cp++; while (cp < reqend && *cp != ',') + if (tp - buf < sizeof(buf) - 1) *tp++ = *cp++; + else + cp++; if (cp < reqend) cp++; *tp = '\0'; - while (isspace((int)(*(tp-1)))) + while (tp != buf && + isspace((int)(*(tp-1)))) *(--tp) = '\0'; reqpt = cp; *data = buf; > David La Croix wrote: > > > > > > > > > > > Heads up. This just came across BugTraq, will likely affect FreeBSD. > > > As of 4.2-RELEASE, the ntpd that ships with FreeBSD is 4.0.99b. > > > > > > > > > > Haven't seen anybody mention this yet.... (and I hate to admit to > > still using 3.x) I have a production box which I haven't upgraded yet... > > > > Is the version of xntpd in 3.x-STABLE (xntpdc version=3.4e) > > succeptable to this, or any other, known buffer overflows? > > Test it. If you compile the code and shoot, it will crash the daemon > even if the exploit is not successful. But that tells you the potential > is there. > > I took that FreeBSD and Linux exploit and aimed it at Sparc box running > xntpd 3.4y and *CRASH*. The xntpd cored and died. The buffer overrun > looks like it goes back at least that far. It should not be too hard > to track it to the source. But I am too busy trying to assess how to > handle all the machines I _know_ are vulnerable to do that. > > The idea that something like the NTP built in to Cisco's IOS might be > based off of vulnerable [x]ntpd code frankly scares the beejeezus out > of me. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message