OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Progeny Security Team (securityPROGENY.COM)
Date: Fri Apr 13 2001 - 11:05:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     ---------------------------------------------------------------------------
     PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-02A
     ---------------------------------------------------------------------------

        Topic: ntpd remote buffer overflow

        Category: net
        Module: ntp
        Announced: 2001-04-09
        Credits: Przemyslaw Frasunek <venglinFREEBSD.LUBLIN.PL>
                        BUGTRAQ <BUGTRAQsecurityfocus.com>
                        Poul-Henning Kamp <phkfreebsd.org>
        Affects: Progeny Debian (ntp prior to 4.0.99g-2.0progeny6)
                        Debian GNU/Linux (ntp prior to 4.0.99g-2potato2)
        Vendor-Status: New Version Released (ntp_4.0.99g-2.0progeny6)
        Corrected: 2001-04-12
        Progeny Only: NO

        $Id: PROGENY-SA-2001-02,v 1.11 2001/04/13 15:54:28 jdaily Exp $

     ---------------------------------------------------------------------------

    UPDATE SYNOPSIS

    This is an update to advisory PROGENY-SA-2001-02. The original fix
    for the ntpd vulnerability described below introduced a potential
    denial of service. This has been corrected in a new package,
    ntp_4.0.99g-2.0progeny6.

    SYNOPSIS

    Versions of the Network Time Protocol Daemon (ntpd) previous to and
    including 4.0.99k have a remote buffer overflow which may lead to a
    remote root exploit.

    PROBLEM DESCRIPTION

    The Network Time Protocol Daemon is vulnerable to a remote buffer
    overflow attack which could potentially be exploited to gain remote root
    access.

    The buffer overflow occurs when building a response to a query with a
    large readvar argument. The shellcode executed must be less than 70
    bytes, otherwise the destination buffer is damaged. This makes the
    vulnerability difficult but not impossible to exploit.

    Furthermore, it should be noted that it is easy to spoof the source
    address of potential malicious queries to an ntp server.

    IMPACT

    Remote users could adapt available exploits to gain root privileges.

    SOLUTION

    Upgrade to a fixed version of ntpd. You may use Progeny's ntp package,
    version 4.0.99g-2.0progeny6, for convenience.

    WORKAROUND

    No known workaround exists for this vulnerability.

    UPDATING VIA APT-GET

     1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
        security update repository:

            deb http://archive.progeny.com/progeny updates/newton/

     2. Update your cache of available packages for apt(8).

        Example:

            # apt-get update

     3. Using apt(8), install the new package. apt(8) will download
        the update, verify its integrity with md5, and then install the
        package on your system with dpkg(8).

        Example:

            # apt-get install ntp

     4. Since this update installs a new version of the ntp daemon, we
        recommend restarting it following installation to make certain the
        old version is not still running.

        Example:

            # /etc/init.d/ntp restart

    UPDATING VIA DPKG

     1. Using your preferred FTP/HTTP client to retrieve the following
        updated files from Progeny's update archive at:

        http://archive.progeny.com/progeny/updates/newton/

        Filename MD5 Checksum
        ------------------------------------ --------------------------------
        ntp_4.0.99g-2.0progeny6_i386.deb 8ce73b29f7d4b77dda190c3b31c42255

        Example:

            # wget http://archive.progeny.com/progeny/updates/newton/ntp_4.0.99g-2.0progeny6_i386.deb

     2. Use the md5sum command on the retrieved file to verify that it matches
        the md5sum provided in this advisory:

        Example:

            # md5sum ntp_4.0.99g-2.0progeny6_i386.deb

     3. Then install the replacement package(s) using the dpkg command.

        Example:

            # dpkg --install ntp_4.0.99g-2.0progeny6_i386.deb

     4. Since this update installs a new version of the ntp daemon, we
        recommend restarting it following installation to make certain the
        old version is not still running.

        Example:

            # /etc/init.d/ntp restart

    MORE INFORMATION

    While (reportedly) all upstream versions of ntp previous to and
    including 4.0.99k are vulnerable, the Progeny Debian
    4.0.99g-2.0progeny6 and Debian GNU/Linux 4.0.99g-2potato2 packages
    have been patched to fix this problem.

     ---------------------------------------------------------------------------

    pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <securityprogeny.com>

    - -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    mQGiBDrKpVkRBACS4/hjUliUt9UGTHMUGSZpQlKfBk9OFHmyLHTdjyIBCWRMmOBn
    RRhag0FgPicVIDndoQvYw3+ESC/RtbuPCBf6DZ7S0+NHhm1SHEbZyHFLkRXJm+IS
    29oFmKrfXnXHckCrJFDZbOznRF6dVe7hV8CYi3FtoTjlRbuiHPQCMuy4ewCghAfv
    eYxfB25AoTdBT7WiG8jd4w8D/iFweuqzTwcWtXEgDbDd21W9hNPLEELgguimCCdP
    l3GHqw/MUJpIvdYfYhCzTaf4VpvkM5xlJGAcelCUL9qAufwyU8U8JI2YzlbqSlO8
    qRwaiwq9qisTKEBb3IQadFqug+ihVdUeP8cuXPvbUEbFt7ILWyUD/kntgFdf1Apo
    zZWlA/0SM45hV6yomcM7z08tyh4hZTrWX/RUJqe+U1niNAmzPg4P+r8SfXdIkjb2
    fZT5h5cYLIiK+kUEkqyPmZwUlgMCCn4IYVd2pcKXKXWE8ympuf3E5wGYeiVpLBM/
    th7qdEF87sViV8McfiRuXEonYrs1nSQZX+f4OxvTQqaP46u10rQsUHJvZ2VueSBT
    ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBwcm9nZW55LmNvbT6IVwQTEQIAFwUCOsql
    WQULBwoDBAMVAwIDFgIBAheAAAoJEEnBfSP5LU0f/sUAnjDpQs5SnFotNJ7GeIWx
    Ftf7AvBBAJ0cygWS0XRXxJJq2PKbCbdln+i4d7kEDQQ6yqcjEBAA465SSuC/yvN7
    WeZAN9XperqZtxLCVe8hLfrLZ+9/Xn2ysuEEe90rYe1X0HbsB/mInHF3VmT+XvHB
    VdDQ7o0VMw7aeDgprt3jDQgT8gIesSOhZvulDujmLhykE+FT/V4lKpqO8prv7Ujs
    AfuC7g/X2dcV1+imNOeivLaCM0+HrwUhdvifWFDwE97wBkrda/vhu9zs3NwMeBVN
    UYfkRLPm+DGUSQVrteNiYJchhqfJB0mjrd+3FgnpCVgdU4c42epZ2ez/WTgTchoT
    duMCd1sM9gzvQIih56KzxlGL82PVS2m0PNxSQ8iZpheMMGWregjpjpMRcrRbSXy+
    WmPBacOiE/MyxXand+lGzig/9Srm6msUT5jE/lDcfySznJWH8B/fqD7KM5Z0ZM+b
    3xV0PzGyMld+m3BfGolqsd5bpo8HaWCWsZVYfgdXjoDPYptsoPdLesN6WIAHA1kU
    n2kckccz4xOoI/8MqKhkzZe0q5a9sv6RLBWDeVLxJnDuXZgcwCc4OvpcR4HnOE7c
    U5VsyjYwTkzGWWuQxb8uxng3akHTK2PqeZAnC0tvtuwI7QFhOq/dzz+zHzVH2+Qh
    55Aq6DjA9yEs3P7g31wb3duGdWtuIXn+N85GiJdZ1EmJESQCuOYOSHsV4bGxKcpg
    PIpoSr5QBAUtUOTwN+xC8nNjZtC5OzsAAwYP/1OD/eiEraGpy7Z9scgXBjjb1kly
    tgq06zGlSMWPEQoN3F87YeMiOsXSeDxJG+cnhvlys1Qoytp9/drsDLANi+Q61A/b
    aka2IJLudiDu4iUDFb1rgRUERBciA31karPf2IwNjdU8lbulHfxQcjtjj7rbSWOG
    gxzlPcLp2F5ee3h0qs+XW4UpD6K9f/u9gGT4nMr3owG06uNomlBAsGCVpk9XlRxG
    x96161vrbmTPUx/o6NhqHNuf5Zh8ZmxQ3PYydywiE9njOtS04TTad24qbdPlVQh2
    kjkTdsMCFRGaAB8EYImMT3F0ofon1Q/XWZrRlhkZpzuAKLhdSOW5G+tygNy2IqsH
    wCYa/rDitYZeNN4EUb5At4HnSBCy86GFQgj+sDFO6yp+h7NLIMeTm0csaSbKEt6o
    cbn0iMaRbLdHmAm0UHATPho+M2brf3mTztvAPONta2FC9TP1L1ojTDd4mtO9IcdM
    hjOVqNbuyLXkWgPcSmwhhjB61p3/1M1Y/zfXxLOsi/XJlstYzzKzHa68F1e9dTEz
    kgeYo1hG5TqMKv1sXfPJHw4N/QVcLoUlpUJZ/kI2OQD5mAhCCZ9PbT2fT4gLhy7U
    sn0blh/R/0HFSFDwHgmx8mNfw7w0qFbba9/FEE8D5qhyyCx5KTk0OkvRL9OpzO7E
    jzjdcfb6B2XpgSC8iEYEGBECAAYFAjrKpyMACgkQScF9I/ktTR90vgCggiX108DO
    S3rhSkmfFuHey8w4RlIAn3nD+uCe+sjCFqVwb+LY2jO3ybjB
    =6dRm
    - -----END PGP PUBLIC KEY BLOCK-----

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjrXIYMACgkQScF9I/ktTR9qegCeLQDhnS7AznAtBONiKyZUp1Lp
    2DAAnRmwpHL42mgAbUMV0wNaT3pgMBJC
    =6H5t
    -----END PGP SIGNATURE-----