J-Security Center

Title: Ntpd Remote Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'.

On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers.

During operation, 'ntpd' maintains a UDP socket bound to a known port for polling time servers and receiving replies. When a datagram is received by the daemon, a number of parsing operations are performed on the data to extract information.

One of these operations involves parsing a comma-separated field:

while (cp < reqend && *cp != ',')
*tp++ = *cp++;

'tp' is a pointer to a local variable within this function; 'cp' points to data from a datagram the daemon has received. This code is a loop that copies information from the datagram-supplied data to a local variable (allocated on the stack).

This section of code can result in a stack overflow because the only way that this copy can stop is if the packet data is completely copied or if a comma is found in the data. The loop does not stop copying data to the stack if the length of the externally supplied data exceeds the size of the local variable that 'tp' points to.

Therefore, if that particular field in the datagram is oversized, memory neighboring the local variable that 'tp' points to can be overwritten with the excess data.

At the very least, an attacker can exploit this vulnerability to corrupt the stack frame and crash the daemon. On some systems, the attacker may be able to execute arbitrary code on the host running 'ntpd'. This would be accomplished in a standard buffer-overflow manner, by overwriting the return address in the stack frame with a value pointing to supplied shellcode.

Because 'ntpd' sets system time, it often runs with root privileges. Any attacker who successfully exploits this vulnerability to execute arbitrary code would obtain complete control over the victim host.

Note that UDP is a connectionless protocol. This means that attackers can exploit this vulnerability easily using spoofed source IP addresses. It would be difficult to trace such an attack.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.1
  • Cisco BTS 10200
  • Cisco Billing and Management Server 0.0.0
  • Cisco IOS 10.3
  • Cisco IOS 11.0
  • Cisco IOS 11.1
  • Cisco IOS 11.1AA
  • Cisco IOS 11.1CA
  • Cisco IOS 11.1CC
  • Cisco IOS 11.1CT
  • Cisco IOS 11.1IA
  • Cisco IOS 11.2
  • Cisco IOS 11.2BC
  • Cisco IOS 11.2F
  • Cisco IOS 11.2GS
  • Cisco IOS 11.2P
  • Cisco IOS 11.2SA
  • Cisco IOS 11.2WA4
  • Cisco IOS 11.2XA
  • Cisco IOS 11.3
  • Cisco IOS 11.3AA
  • Cisco IOS 11.3DA
  • Cisco IOS 11.3DB
  • Cisco IOS 11.3HA
  • Cisco IOS 11.3MA
  • Cisco IOS 11.3NA
  • Cisco IOS 11.3T
  • Cisco IOS 11.3WA4
  • Cisco IOS 11.3XA
  • Cisco IOS 12.0
  • Cisco IOS 12.0(10)W5(18g)
  • Cisco IOS 12.0(13)W5(19c)
  • Cisco IOS 12.0(14)W5(20)
  • Cisco IOS 12.0(5)XK
  • Cisco IOS 12.0(7)XK
  • Cisco IOS 12.0DA
  • Cisco IOS 12.0DB
  • Cisco IOS 12.0DC
  • Cisco IOS 12.0S
  • Cisco IOS 12.0SC
  • Cisco IOS 12.0SL
  • Cisco IOS 12.0ST
  • Cisco IOS 12.0T
  • Cisco IOS 12.0WC
  • Cisco IOS 12.0WT
  • Cisco IOS 12.0XA
  • Cisco IOS 12.0XB
  • Cisco IOS 12.0XC
  • Cisco IOS 12.0XD
  • Cisco IOS 12.0XE
  • Cisco IOS 12.0XF
  • Cisco IOS 12.0XG
  • Cisco IOS 12.0XH
  • Cisco IOS 12.0XI
  • Cisco IOS 12.0XJ
  • Cisco IOS 12.0XL
  • Cisco IOS 12.0XM
  • Cisco IOS 12.0XN
  • Cisco IOS 12.0XP
  • Cisco IOS 12.0XQ
  • Cisco IOS 12.0XR
  • Cisco IOS 12.0XS
  • Cisco IOS 12.0XU
  • Cisco IOS 12.0XV
  • Cisco IOS 12.1
  • Cisco IOS 12.1AA
  • Cisco IOS 12.1CX
  • Cisco IOS 12.1DA
  • Cisco IOS 12.1DB
  • Cisco IOS 12.1DC
  • Cisco IOS 12.1E
  • Cisco IOS 12.1EC
  • Cisco IOS 12.1EX
  • Cisco IOS 12.1EY
  • Cisco IOS 12.1EZ
  • Cisco IOS 12.1T
  • Cisco IOS 12.1XA
  • Cisco IOS 12.1XB
  • Cisco IOS 12.1XC
  • Cisco IOS 12.1XD
  • Cisco IOS 12.1XE
  • Cisco IOS 12.1XF
  • Cisco IOS 12.1XG
  • Cisco IOS 12.1XH
  • Cisco IOS 12.1XI
  • Cisco IOS 12.1XJ
  • Cisco IOS 12.1XK
  • Cisco IOS 12.1XL
  • Cisco IOS 12.1XM
  • Cisco IOS 12.1XP
  • Cisco IOS 12.1XQ
  • Cisco IOS 12.1XR
  • Cisco IOS 12.1XS
  • Cisco IOS 12.1XT
  • Cisco IOS 12.1XU
  • Cisco IOS 12.1XV
  • Cisco IOS 12.1XW
  • Cisco IOS 12.1XX
  • Cisco IOS 12.1XY
  • Cisco IOS 12.1XZ
  • Cisco IOS 12.1YA
  • Cisco IOS 12.1YB
  • Cisco IOS 12.1YC
  • Cisco IOS 12.1YD
  • Cisco IOS 12.1YF
  • Cisco IOS 12.2
  • Cisco IOS 12.2B
  • Cisco IOS 12.2BW
  • Cisco IOS 12.2BX
  • Cisco IOS 12.2DA
  • Cisco IOS 12.2PB
  • Cisco IOS 12.2PI
  • Cisco IOS 12.2S
  • Cisco IOS 12.2T
  • Cisco IOS 12.2XA
  • Cisco IOS 12.2XB
  • Cisco IOS 12.2XD
  • Cisco IOS 12.2XE
  • Cisco IOS 12.2XH
  • Cisco IOS 12.2XQ
  • Cisco IOS 12.2XQ
  • Cisco IOS 12.2YA
  • Cisco IOS 12.2YC
  • Cisco IP Manager 1.0.0
  • Cisco IP Manager 2.0.0
  • Cisco PGW2200 PSTN Gateway 0.0.0
  • Cisco SC2200
  • Cisco Virtual Switch Controller 3000 0.0.0
  • Cisco Voice Services Provisioning Tool 0.0.0
  • Compaq Tru64 4.0.0 g
  • Dave Mills ntpd 4.0.99
  • Dave Mills ntpd 4.0.99 a
  • Dave Mills ntpd 4.0.99 b
  • Dave Mills ntpd 4.0.99 c
  • Dave Mills ntpd 4.0.99 d
  • Dave Mills ntpd 4.0.99 e
  • Dave Mills ntpd 4.0.99 f
  • Dave Mills ntpd 4.0.99 g
  • Dave Mills ntpd 4.0.99 h
  • Dave Mills ntpd 4.0.99 i
  • Dave Mills ntpd 4.0.99 j
  • Dave Mills ntpd 4.0.99 k
  • Dave Mills xntp3 5.93.0
  • Dave Mills xntp3 5.93.0 a
  • Dave Mills xntp3 5.93.0 b
  • Dave Mills xntp3 5.93.0 c
  • Dave Mills xntp3 5.93.0 d
  • Dave Mills xntp3 5.93.0 e
  • Debian Linux 2.2.0
  • FreeBSD FreeBSD 4.2.0 -RELEASE
  • HP HP-UX (VVOS) 10.24.0
  • HP HP-UX (VVOS) 11.0.4
  • HP HP-UX 10.0.01
  • HP HP-UX 10.10.0
  • HP HP-UX 10.20.0
  • HP HP-UX 11.0.0
  • HP HP-UX 11.11.0
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 6.0.0
  • MandrakeSoft Linux Mandrake 6.1.0
  • MandrakeSoft Linux Mandrake 7.0.0
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • RedHat Linux 6.2.0
  • Sun Solaris 2.6
  • Sun Solaris 2.6_x86
  • Sun Solaris 7.0
  • Sun Solaris 7.0_x86
  • Sun Solaris 8
  • Sun Solaris 8_x86

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.