===================================================================== CERT-Renater Note d'Information No. 2001/VULN122 _____________________________________________________________________ DATE : 06/04/2001 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : systems running ntp daemon comprenant - FreeBSD - Linux Debian - Linux Mandrake - Linux RedHat - Linux Slackware - Linux SuSE - NetBSD - OpenLinux (Linux Caldera) - OpenLinux eServer (Linux Caldera) ====================================================================== Le service de synchronisation temporelle NTP est vulnérable à une attaque en buffer overflow. L'attaquant peut ainsi passer root sur la machine cible. Il semblerait qu'il existe déjà un programme d'exploitation de cette faille. Cet information complète la vuln 122 du 05/04/2001. Avis de sécurité de Linux Debian DSA-045-1 du 5 avril 2001 (Archive de BugTraq) http://www.securityfocus.com/archive/1/174354 Avis de sécurité de NetBSD NetBSD-SA2001-004 du 5 avril 2001 ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001 - -004.txt.asc NetBSD Security Advisory 2001-004 ================================= Topic: NTP remote buffer overflow Version: All versions running the NTP time service Severity: Potential remote root execution compromise Fixed: Thursday 5 April, 2001 Abstract ======== The NTP time synchronisation service shipped with NetBSD and many other systems is vulnerable to a buffer-overflow attack. This vulnerability may lead to arbitrary code execution as the user running the NTP daemon, usually root. Technical Details ================= Technical details of the bug were announced on the bugtraq mailing list, and are not replicated here. The posting archive can be found at: http://www.securityfocus.com/archive/1/174011 Known exploit code has been published for other operating systems, and leads to a remote root compromise on those systems. This exploit causes a denial of service, crashing the NTP daemon, when run against a NetBSD system. The capability to exploit the vulnerability and execute code has not yet been confirmed on NetBSD, though it is presumed to exist. It is likely that minor alterations to the detail of the published exploit code will produce a viable remote root attack. Note that source addresses of NTP UDP time packets are easily forged, so IP address based restrictions on incoming NTP traffic are likely to be of limited value. Solutions and Workarounds ========================= The patch attached below has been incorporated into NetBSD-current, and pulled up into the NetBSD 1.4 and 1.5 release branches. Unless systems depend critically on NTP for very accurate time, or have very poor local clocks, the NetBSD project recommends that running NTP daemons be temporarily disabled immediately, to prevent the risk of compromise while fixes are being applied. Users should make their own judgement, but most systems should be able to run for several days without significant clock drift. This allows administrators flexibility in managing the update and change process. Systems running releases older than NetBSD 1.4 should be upgraded to NetBSD 1.4.3 before applying the fixes described here. Systems running NetBSD-current dated from before 2001-04-05 should be upgraded to NetBSD-current dated 2001-04-05 or later. Systems running NetBSD releases 1.4.x or 1.5 should apply the following patches. These patches have been pulled up to the release branches, users tracking the release branches should update to a code newer than 2001-04-05. The two patches are the same, apart from some formatting differences and relocation of the file that occurred in the interim. Note: the syslog()ing code in the original patch from FreeBSD is disabled but included, as some people may want to enable syslog()ing the source of the bad packets. This was disabled in NetBSD to prevent a potential resource exhaustion DoS against syslog, and as the address is likely to be spoofed. For NetBSD-1.5: apply the following patch to /usr/src/dist/ntp/ntpd/ntp_control.c - --- ntp_control.c 2000/04/22 14:53:15 1.1.1.2 +++ ntp_control.c 2001/04/05 02:08:01 1.2 @@ -1812,9 +1812,22 @@ while (cp < reqend && isspace((int)*cp)) cp++; - - while (cp < reqend && *cp != - - ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; + if (tp >= + buf + sizeof(buf) - 1) { +#if 0 /* don't syslog for now - DoS potential on filling syslog */ + msyslog(LOG_WARNING, + "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", + (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, + ntohs(rmt_addr->sin_port)); +#endif + return (0); + } + } if (cp < reqend) cp++; *tp = '\0'; For NetBSD-1.4.x: apply the following patch to /usr/src/usr.sbin/xntp/xntpd/ntp_control.c - --- ntp_control.c 1998/08/27 20:31:02 1.6 +++ ntp_control.c 2001/04/05 01:50:18 @@ -1757,8 +1757,22 @@ ctl_getitem(var_list, data) tp = buf; while (cp < reqend && isspace(*cp)) cp++; - - while (cp < reqend && *cp != ',') + while (cp < reqend && *cp != ',') { *tp++ = *cp++; + if (tp >= + buf + sizeof(buf) - 1) { +#if 0 /* don't syslog for now - DoS potential on filling syslog */ + msyslog(LOG_WARNING, + "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", + (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff, + (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff, + ntohs(rmt_addr->sin_port)); +#endif + return (0); + } + } if (cp < reqend) cp++; *tp = '\0'; Thanks To ========= Przemyslaw Frasunek for discovering and publicising the issue. Poul-Henning Kamp and Dima Ruban for fixes from the FreeBSD tree. Jason Thorpe for changes to not overrun the end of the static buffer and disabling syslog(). Simon Burge for responding to the incident and applying the fixes. Revision History ================ 2001-04-05 Initial Release More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================