Signature Detail

OS: Linux x86 ntpdx Buffer Overflow

This signature detects attempts to exploit a known vulnerability in the Network Time Protocol Daemon (NTPd) running on LINUX. If the response to a query causes more than 70bytes of shell code to be executed, the destination buffer is damaged. Attackers can remotely send a large readvar argument as a query to cause a buffer overflow and gain root access.

Extended Description

NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'. On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers. Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host. If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host.

Affected Products

• Apple Mac OS X 10.0.0
• Apple Mac OS X 10.0.1
• Cisco Billing and Management Server
• Cisco BTS 10200
• Cisco IOS 10.3
• Cisco IOS 11.0
• Cisco IOS 11.1
• Cisco IOS 11.1AA
• Cisco IOS 11.1CA
• Cisco IOS 11.1CC
• Cisco IOS 11.1CT
• Cisco IOS 11.1IA
• Cisco IOS 11.2
• Cisco IOS 11.2BC
• Cisco IOS 11.2F
• Cisco IOS 11.2GS
• Cisco IOS 11.2P
• Cisco IOS 11.2SA
• Cisco IOS 11.2WA4
• Cisco IOS 11.2XA
• Cisco IOS 11.3
• Cisco IOS 11.3AA
• Cisco IOS 11.3DA
• Cisco IOS 11.3DB
• Cisco IOS 11.3HA
• Cisco IOS 11.3MA
• Cisco IOS 11.3NA
• Cisco IOS 11.3T
• Cisco IOS 11.3WA4
• Cisco IOS 11.3XA
• Cisco IOS 12.0
• Cisco IOS 12.0(10)W5(18G)
• Cisco IOS 12.0(13)W5(19C)
• Cisco IOS 12.0(14)W5(20)
• Cisco IOS 12.0(5)XK
• Cisco IOS 12.0(7)XK
• Cisco IOS 12.0DA
• Cisco IOS 12.0DB
• Cisco IOS 12.0DC
• Cisco IOS 12.0S
• Cisco IOS 12.0SC
• Cisco IOS 12.0SL
• Cisco IOS 12.0ST
• Cisco IOS 12.0T
• Cisco IOS 12.0WT
• Cisco IOS 12.0XA
• Cisco IOS 12.0XB
• Cisco IOS 12.0XC
• Cisco IOS 12.0XD
• Cisco IOS 12.0XE
• Cisco IOS 12.0XF
• Cisco IOS 12.0XG
• Cisco IOS 12.0XH
• Cisco IOS 12.0XI
• Cisco IOS 12.0XJ
• Cisco IOS 12.0XL
• Cisco IOS 12.0XM
• Cisco IOS 12.0XN
• Cisco IOS 12.0XP
• Cisco IOS 12.0XQ
• Cisco IOS 12.0XR
• Cisco IOS 12.0XS
• Cisco IOS 12.0XU
• Cisco IOS 12.0XV
• Cisco IOS 12.1
• Cisco IOS 12.1AA
• Cisco IOS 12.1CX
• Cisco IOS 12.1DA
• Cisco IOS 12.1DB
• Cisco IOS 12.1DC
• Cisco IOS 12.1E
• Cisco IOS 12.1EC
• Cisco IOS 12.1EX
• Cisco IOS 12.1EY
• Cisco IOS 12.1EZ
• Cisco IOS 12.1T
• Cisco IOS 12.1XA
• Cisco IOS 12.1XB
• Cisco IOS 12.1XC
• Cisco IOS 12.1XD
• Cisco IOS 12.1XE
• Cisco IOS 12.1XF
• Cisco IOS 12.1XG
• Cisco IOS 12.1XH
• Cisco IOS 12.1XI
• Cisco IOS 12.1XJ
• Cisco IOS 12.1XK
• Cisco IOS 12.1XL
• Cisco IOS 12.1XM
• Cisco IOS 12.1XP
• Cisco IOS 12.1XQ
• Cisco IOS 12.1XR
• Cisco IOS 12.1XS
• Cisco IOS 12.1XT
• Cisco IOS 12.1XU
• Cisco IOS 12.1XV
• Cisco IOS 12.1XW
• Cisco IOS 12.1XX
• Cisco IOS 12.1XY
• Cisco IOS 12.1XZ
• Cisco IOS 12.1YA
• Cisco IOS 12.1YB
• Cisco IOS 12.1YC
• Cisco IOS 12.1YD
• Cisco IOS 12.1YF
• Cisco IOS 12.2
• Cisco IOS 12.2B
• Cisco IOS 12.2BW
• Cisco IOS 12.2BX
• Cisco IOS 12.2DA
• Cisco IOS 12.2PB
• Cisco IOS 12.2PI
• Cisco IOS 12.2S
• Cisco IOS 12.2T
• Cisco IOS 12.2XA
• Cisco IOS 12.2XB
• Cisco IOS 12.2XD
• Cisco IOS 12.2XE
• Cisco IOS 12.2XH
• Cisco IOS 12.2XQ
• Cisco IOS 12.2YA
• Cisco IOS 12.2YC
• Cisco IP Manager 1.0.0
• Cisco IP Manager 2.0.0
• Cisco PGW2200 PSTN Gateway
• Cisco SC2200
• Cisco Virtual Switch Controller 3000
• Cisco Voice Services Provisioning Tool
• Dave Mills ntpd 4.0.99
• Dave Mills ntpd 4.0.99 a
• Dave Mills ntpd 4.0.99 b
• Dave Mills ntpd 4.0.99 c
• Dave Mills ntpd 4.0.99 d
• Dave Mills ntpd 4.0.99 e
• Dave Mills ntpd 4.0.99 f
• Dave Mills ntpd 4.0.99 g
• Dave Mills ntpd 4.0.99 h
• Dave Mills ntpd 4.0.99 i
• Dave Mills ntpd 4.0.99 j
• Dave Mills ntpd 4.0.99 k
• Dave Mills xntp3 5.93.0
• Dave Mills xntp3 5.93.0 a
• Dave Mills xntp3 5.93.0 b
• Dave Mills xntp3 5.93.0 c
• Dave Mills xntp3 5.93.0 d
• Dave Mills xntp3 5.93.0 e
• HP HP-UX 10.0.0 1
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• HP HP-UX 11.11.0
• HP HP-UX (VVOS) 10.24.0
• HP HP-UX (VVOS) 11.0.4
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86

References

• BugTraq: 2540
• CVE: CVE-2001-0414
• URL: http://www.securiteam.com/unixfocus/5PP032K40A.html