Date: Wed, 18 Apr 2001 06:59:09 -0400
From: IBM MSS Advisory Service <advisory@US.IBM.COM.>
To: [email protected]Subject: IBM MSS Outside Advisory Redistribution: IBM AIX: Buffer Overflow Vulnerability in (x)ntp
IBM Global Services
Managed Security Services
Outside Advisory Redistribution
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
Tue Apr 10 11:15:04 CDT 2001
VULNERABILITY SUMMARY
VULNERABILITY: Buffer Overflow Vulnerability in (x)ntp
PLATFORMS: IBM AIX 4.3.x and 5.1
SOLUTION: Apply the emergency-fixes described below.
THREAT: Malicious user could obtain root privileges, or cause
a denial of service (DoS).
CERT Advisory: Pending.
DETAILED INFORMATION
I. Description
The Network Time Protocol daemon, (x)ntp, shipped with AIX contains
a buffer overflow vulnerability that allows a malicious user, local
or remote, to gain root privileges.
Gaining root privileges by exploiting this vulnerability appears to
be somewhat difficult in practice, as knowledge of the hardware-
dependent stack registers/addresses is required for different
architectures. Also, there does not exist much "working room" in the
size of the stack overflow that can be accomplished, requiring
an especially well-crafted exploit code.
An exploit has been written and made public; it is intended for use
on Intel architectures to gain root access. However, it causes ntp
daemon problems when run as is. A result is likely to be a denial of
service (DoS). The exploit code would need to be
modified for full exploitation on the RISC6000 architecture.
Nonetheless, IBM has found that a vulnerability in the daemon
source code does exist, and has fixed this problem.
II. Impact
A malicious local or remote user can use a well-crafted exploit code
to gain root privileges on the attacked system, compromising the
integrity of the system and its attached local network.
If the malicious user is unable to gain root access, he or she could
still cause a system crash (DoS) via this vulnerability.
III. Solutions
A. Official fix
IBM is working on the following fixes which will be available
soon:
AIX 4.3.x and 5.1: APAR assignment pending.
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 at the latest maintenance level,
or to 5.1, when it becomes available.
B. How to minimize the vulnerability
Temporary fixes for AIX 4.3.x and 5.1 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/xntpd_efix.tar.Z
The efix tarball consists of two patched xntpd binaries, one for
AIX 4.3.x systems (xntpd.43) and one for AIX 5.1 (scheduled for
release soon; binary is xntpd.51). A copy of this Advisory is also
included.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
To proceed with efix installation:
First, verify the MD5 cryptographic hash sums of each efix files
you obtain from unpacking the efix tarball with those given below.
These
should match exactly; if they do not, double check the hash results
and the download site address. If OK, contact IBM AIX Security at
[email protected] and describe the discrepancy.
Filename sum md5
xntpd.43 15698 254 66f9e21a02267eaead6f7f020f16ce8c
xntpd.51 56685 267 6a2c7260a45c3849752f976f12c1881c
Efix Installation Instructions:
-------------------------------
1. Become root, if not already done.
2. In a scratch or tmp directory, uncompress and untar the efix:
a. uncompress xntpd_efix.tar.Z
b. tar -xvf xntpd_efix.tar
3. If you are running an AIX 4.3.x system, copy the xntpd.43 file
to /usr/sbin. Do the same if you have AIX 5.1 running, except
copy the xntpd.51 file.
4. Stop the ntp daemon if it is currently running:
a. stopsrc -s xntpd
5. Make a backup copy of the existing
xntpd binary package in case something goes wrong with the
installation of the efix:
a. cp /usr/sbin/xntpd /usr/sbin/xntpd.original
6. Now copy the efix binary to take the place of the original xntpd:
a. cp /usr/sbin/xntpd.43 (or xntpd.51, as appropriate)
/usr/sbin/xntpd.
7. Check to be certain that the new xntpd is executable by root and
is assigned proper permissions otherwise.
8. Restart the ntp daemon:
a. startsrc -s xntpd
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "[email protected]" with the word "FixDist" in the
"Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "[email protected]" with
the word "subscribe Security_APARs" in the "Subject:" line.
V. Acknowledgements
Many thanks to Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL.>
for discovering this vulnerability, and to the CERT/CC and
SecurityFocus' BUGTRAQ for posting notices of this security
problem.
VI. Contact Information
Comments regarding the content of this announcement can be directed to:
[email protected]
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to [email protected]
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to [email protected] with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBOtWVhcXrSKQHhgFwEQKJ4gCgtmhQJ6WouopVi0pPcnlnu/Z67NcAoLiD
2wvKo+hjNY3MqAWw+QjUEOuA
=9nPJ
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
