ntpd - new Debian 2.2 (potato) version is also vulnerable
Date: Mon, 9 Apr 2001 11:29:15 +0200
From: Daniel Kiper <dkiper@NETSPACE.COM.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ntpd - new Debian 2.2 (potato) version is also vulnerable
Hello
I have download new release of ntp package for Debian 2.2 (potato)
(Ver. 4.0.99g-2potato1).
After install I have started new version and have invoked command:
ntpq -c rl myntp
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
processor="i586", system="Linux2.2.19", leap=00, stratum=2,
precision=-17, rootdelay=49.892, rootdispersion=283.631, peer=56420,
refid=timeserver,
reftime=be7bfc52.2161d430 Mon, Apr 9 2001 11:16:02.130, poll=6,
clock=be7bfc64.0afef7c2 Mon, Apr 9 2001 11:16:20.042, state=4,
phase=-64.112, frequency=-7.643, jitter=47.294, stability=3.821
Now everything is OK.
Next command:
ntpdx -t 2 ntp
ntpdx v1.0 by venglin@freebsd.lublin.pl
Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
[1] <- evil query (pkt = 512 | shell = 45)
[2] <- null query (pkt = 12)
Done.
/tmp/sh was spawned.
I diden't have seen any changes in /bin/bash mode but after command:
ntpq -c rl ntp
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
processor="i586", system="M-^Pinux2.2.19", leap=00, stratum=2,
^^^^^^^^^^^^^^^^^^^ Ooops....
precision=-17, rootdelay=59.810, rootdispersion=154.661, peer=56420,
refid=timeserver,
reftime=be7bfd10.04201cd5 Mon, Apr 9 2001 11:19:12.016, poll=6,
clock=be7bfd4d.06c81d3a Mon, Apr 9 2001 11:20:13.026, state=4,
phase=-84.368, frequency=-20.496, jitter=59.303, stability=4.202
and message from syslog
Apr 9 11:17:34 mymachine ntpd[1014]: Attempted "ntpdx" exploit from IP
x.x.x.x:1091 (possibly spoofed)
Sorry but I don't have time to check source now.
Daniel Kiper - dkiper@netspace.com.pl
