Ntpd远程缓冲区溢出漏洞

漏洞信息详情

Ntpd远程缓冲区溢出漏洞

• CNNVD编号：CNNVD-200106-110
• 危害等级： 超危
  
  
• CVE编号：
  CVE-2001-0414
  
• 漏洞类型：
  
  
  边界条件错误
  
• 发布时间：
  
  2001-04-04
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-05-02
  
• 厂        商：
  
  dave_mills
• 漏洞来源：
  Przemyslaw Frasune…

多种Unix/Linux操作系统和Cisco路由器的网络时间协议守护进程(NTPD)容易遭受远程缓冲区溢出攻击。
由于NTP基于无状态的UDP协议，于是可以伪造各种恶意的请求报文，引发远程缓冲区溢出。绝大多数情况下，NTPD是以root身份启动的，所以远程缓冲区溢出后将直接获取root权限。
尽管这次是常规缓冲区溢出，但为了有效利用它进行攻击还是相当困难的。目标缓冲区会因为某些原因被破坏，攻击完成时，shellcode真正可利用的缓冲区将小于70字节。下面的演示代码简单执行了/tmp/sh而已，完全可以构造一次完整的远程攻击。

厂商补丁：
Cisco
—–
Cisco已经为此发布了一个安全公告(Cisco-NTP)以及相应补丁:

Cisco-NTP：Cisco Security Advisory: NTP Vulnerability

链接：http://www.cisco.com/warp/public/707/NTP-pub.shtml” target=”_blank”>
http://www.cisco.com/warp/public/707/NTP-pub.shtml

补丁下载：

Cisco IOS 10.3:

Cisco IOS 11.0:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.1 IA:

Cisco Upgrade IOS 12.2(3)

Cisco IOS 11.1 CT:

Cisco Upgrade IOS 12.0ST

Cisco IOS 11.1 CC:

Cisco Upgrade IOS 11.1(36)CC2

Cisco IOS 11.1 CA:

Cisco IOS 11.1 AA:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 11.1:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.2 XA:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.2 WA4:

Cisco Upgrade IOS 12.0W

Cisco IOS 11.2 SA:

Cisco Upgrade IOS 12.0W

Cisco IOS 11.2 P:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.2 GS:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.2 F:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.2 BC:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 11.2:

Cisco Upgrade IOS 11.2(26a)

Cisco IOS 11.3 XA:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.3 WA4:

Cisco Upgrade IOS 12.0WA

Cisco IOS 11.3 T:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.3 NA:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 11.3 MA:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 11.3 HA:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 11.3 DB:

Cisco Upgrade IOS 12.1DB

Cisco IOS 11.3 DA:

Cisco Upgrade IOS 12.1DA

Cisco IOS 11.3 AA:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 11.3:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 12.0 XV:

Cisco Upgrade IOS 12.2(4)

Cisco IOS 12.0 XU:

Cisco Upgrade IOS 12.0WC

Cisco IOS 12.0 XS:

Cisco Upgrade IOS 12.1(8a)E

Cisco IOS 12.0 XR:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.0 XQ:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XP:

Cisco Upgrade IOS 12.0WC

Cisco IOS 12.0 XN:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XM:

Cisco Upgrade IOS 12.0(5)YB4

Cisco IOS 12.0 XL:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XJ:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XI:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XH:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XG:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XF:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XE:

Cisco Upgrade IOS 12.1(8a)E

Cisco IOS 12.0 XD:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XC:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XB:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 XA:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 WT:

Cisco IOS 12.0 WC:

Cisco Upgrade IOS 12.0(5)WC2

Cisco IOS 12.0 T:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.0 ST:

Cisco Upgrade IOS 12.0(17)ST1

Cisco IOS 12.0 SL:

Cisco Upgrade IOS 12.0(17)SL2

Cisco Upgrade IOS 12.0ST

Cisco IOS 12.0 SC:

Cisco Upgrade IOS 12.0(16)SC

Cisco IOS 12.0 S:

Cisco Upgrade IOS 12.0(18)S

Cisco IOS 12.0 DC:

Cisco Upgrade IOS 12.1DC

Cisco IOS 12.0 DB:

Cisco Upgrade IOS 12.1(5)DB2

Cisco IOS 12.0 DA:

Cisco Upgrade IOS 12.1(7)DA2

Cisco IOS 12.0 (7)XK:

Cisco IOS 12.0 (5)XK:

Cisco IOS 12.0 (14)W5(20):

Cisco Upgrade IOS 12.0(18)W5(22)

Cisco IOS 12.0 (13)W5(19c):

Cisco Upgrade IOS 12.0(16)W5(21)

Cisco IOS 12.0 (10)W5(18g):

Cisco Upgrade IOS 12.0(18)W5(22a)

Cisco IOS 12.0:

Cisco Upgrade IOS 12.0(18)

Cisco IOS 12.1 YF:

Cisco Upgrade IOS 12.1(5)YF2

Cisco IOS 12.1 YD:

Cisco Upgrade IOS 12.1(5)YD2

Cisco IOS 12.1 YC:

Cisco Upgrade IOS 12.1(5)YC1

Cisco IOS 12.1 YB:

Cisco Upgrade IOS 12.1(5)YB4

Cisco IOS 12.1 YA:

Cisco IOS 12.1 XZ:

Cisco IOS 12.1 XY:

Cisco IOS 12.1 XX:

Cisco IOS 12.1 XW:

Cisco Upgrade IOS 12.2DD

Cisco IOS 12.1 XV:

Cisco Upgrade IOS 12.1(5)XV3

Cisco IOS 12.1 XU:

Cisco Upgrade IOS 12.2(2)XA

Cisco IOS 12.1 XT:

Cisco Upgrade IOS 12.1(5)YB4

Cisco IOS 12.1 XS:

Cisco Upgrade IOS 12.1(5)XS2

Cisco IOS 12.1 XR:

Cisco Upgrade IOS 12.1(5)YD2

Cisco IOS 12.1 XQ:

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 XP:

Cisco Upgrade IOS 12.1(5)YB4

Cisco IOS 12.1 XM:

Cisco Upgrade IOS 12.1(5)XM4

Cisco IOS 12.1 XL:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 XK:

Cisco IOS 12.1 XJ:

Cisco Upgrade IOS 12.1(5)YB4

Cisco IOS 12.1 XI:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 XH:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 XG:

Cisco IOS 12.1 XF:

Cisco Upgrade IOS 12.1(2)XF4

Cisco IOS 12.1 XE:

Cisco IOS 12.1 XD:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 XC:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 XB:

Cisco IOS 12.1 XA:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 T:

Cisco Upgrade IOS 12.2(3)

Cisco Upgrade IOS 12.1(5)T9

Cisco Upgrade IOS 12.2(1b)

Cisco IOS 12.1 EZ:

Cisco Upgrade IOS 12.1(6)EZ2

Cisco IOS 12.1 EY:

Cisco Upgrade IOS 12.1(6)EY

Cisco IOS 12.1 EX:

Cisco Upgrade IOS 12.1(8a)E

Cisco IOS 12.1 EC:

Cisco Upgrade IOS 12.1(7)EC

Cisco IOS 12.1 E:

Cisco Upgrade IOS 12.1(8a)E

Cisco IOS 12.1 DC:

Cisco Upgrade IOS 12.2(2)B

Cisco IOS 12.1 DB:

Cisco Upgrade IOS 12.2(2)B

Cisco IOS 12.1 DA:

Cisco Upgrade IOS 12.1(7)DA2

Cisco IOS 12.1 CX:

Cisco Upgrade IOS 12.1(7)CX

Cisco IOS 12.1 AA:

Cisco Upgrade IOS 12.1(9)AA

Cisco IOS 12.1:

Cisco Upgrade IOS 12.1(9)

Cisco IOS 12.2 XQ:

Cisco Upgrade IOS 12.2(1)XQ

Cisco IOS 12.2 XH:

Cisco Upgrade IOS 12.2(1)XH

Cisco IOS 12.2 XE:

Cisco Upgrade IOS 12.2(1)XE

Cisco IOS 12.2 XD:

Cisco Upgrade IOS 12.2(1)XD1

Cisco IOS 12.2 XA:

Cisco Upgrade IOS 12.2(2)XA1

Cisco Upgrade IOS 12.2(2)XA

Cisco IOS 12.2 T:

Cisco Upgrade IOS 12.2(4)T

Cisco IOS 12.2 S:

Cisco Upgrade IOS 12.2(1.4)S

Cisco IOS 12.2 PI:

来源: BID
名称: 2540
链接:http://www.securityfocus.com/bid/2540

来源: MANDRAKE
名称: MDKSA-2001:036
链接:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3

来源: DEBIAN
名称: DSA-045
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98651866104663&w=2

来源: XF
名称: ntpd-remote-bo(6321)
链接:http://xforce.iss.net/static/6321.php

来源: REDHAT
名称: RHSA-2001:045
链接:http://www.redhat.com/support/errata/RHSA-2001-045.html

来源: OSVDB
名称: 805
链接:http://www.osvdb.org/805

来源: CALDERA
名称: CSSA-2001-013
链接:http://www.calderasystems.com/support/security/advisories/CSSA-2001-013.0.txt

来源: BUGTRAQ
名称: 20010409 ntpd – new Debian 2.2 (potato) version is also vulnerable
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98684532921941&w=2

来源: BUGTRAQ
名称: 20010409 PROGENY-SA-2001-02: ntpd remote buffer overflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98684202610470&w=2

来源: BUGTRAQ
名称: 20010409 ntp-4.99k23.tar.gz is available
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98683952401753&w=2

来源: BUGTRAQ
名称: 20010408 [slackware-security] buffer overflow fix for NTP
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98679815917014&w=2

来源: BUGTRAQ
名称: 20010406 Immunix OS Security update for ntp and xntp3
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98659782815613&w=2

来源: BUGTRAQ
名称: 20010405 Re: ntpd =< 4.0.99k remote buffer overflow]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98654963328381&w=2

来源: BUGTRAQ
名称: 20010404 ntpd =< 4.0.99k remote buffer overflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98642418618512&w=2

来源: SUSE
名称: SuSE-SA:2001:10
链接:http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.html

来源: CONECTIVA
名称: CLA-2001:392
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000392

来源: BUGTRAQ
名称: 20010418 IBM MSS Outside Advisory Redistribution: IBM AIX: Buffer Overflow Vulnerability in (x)ntp
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0314.html

来源: BUGTRAQ
名称: 20010413 PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html

来源: BUGTRAQ
名称: 20010409 [ESA-20010409-01] xntp buffer overflow
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0127.html

来源: SCO
名称: SSE074
链接:ftp://ftp.sco.com/SSE/sse074.ltr

来源: SCO
名称: SSE073
链接:ftp://ftp.sco.com/SSE/sse073.ltr

来源: NETBSD
名称: NetBSD-SA2001-004
链接:ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc

来源: FREEBSD
名称: FreeBSD-SA-01:31
链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:31.ntpd.asc

来源: US Government Resource: oval:org.mitre.oval:def:3831
名称: oval:org.mitre.oval:def:3831
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3831