The SCO Group (SCO Unix) Information for VU#970472

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has read but not verified the following statement from SCO posted on BUGTRAQ:

Message-Id: <3AD4B69C.913A849D@sco.com>
Date: Wed, 11 Apr 2001 12:55:08 -0700
From: Albert Fu <alf@sco.COM>
Organization: SCO
X-Mailer: Mozilla 4.7 [en] (X11; I; SCO_SV 3.2 i386)
X-Accept-Language: en
To: BUGTRAQ@SECURITYFOCUS.COM
Sender: owner-bugtraq@SECURITYFOCUS.COM
Subject: SSE073: SCO OpenServer NTP buffer overflow fix


---------------------------------------------------
TOPIC:  NTP remote buffer overflow
PRODUCTS AFFECTED:  SCO OpenServer 5.0.0->5.0.6
PATCH: System Security Supplement (SSE) SSE073
PATCH LOCATION:
ftp://ftp.sco.com/SSE/sse073.tar.Z
                                 
ftp://ftp.sco.com/SSE/sse073.ltr
SUMMARY: potentially exploitable buffer overflow fixed by SSE073
DATE: April 11, 2001
---------------------------------------------------




System Security Enhancement (SSE) SSE073 - 11-Apr-2001

Problem:

        A buffer overflow was found by Przemyslaw Frasunek
<venglin@freebsd.lublin.pl> in the NTP daemon.  Full exploit details
can be found in the BUGTRAQ archive

http://www.securityfocus.com/archive/1/174011

On SCO OpenServer 5 Release 5.0.6 systems, the NTP daemon is /etc/ntpd.

This exploit doesn't actually "work" on OpenServer.  However, a small
effect can be observed.

To observe the effect, run ntpdc and give it the "ctlstats" command.
An exploit attempt registers as an increment of 2 to the
"requests received" and "responses sent" counters.

Running the fixed version of ntpd, an exploit attempt registers as +2
"requests received", +2 "responses sent", +1 "total bad pkts" and +1
"error msgs sent".

We find this difference sufficient to feel confident that the _specific_
problem has been corrected.

Patch:

        The patch is located at: ftp://ftp.sco.com/SSE/sse073.tar.Z
                               
ftp://ftp.sco.com/SSE/sse073.ltr

This patch is applicable to all releases of OpenServer 5.
However, the "install-sse073.sh" program to install the binary
can be used on Release 5.0.6 ONLY.

        This patch contains a replacement for the /etc/ntpd binary in
Release 5.0.6.  If you wish to use this binary on Releases 5.0.0
       up to 5.0.5, you can install the binary manually.  Note that
       on these older releases, /etc/xntpd (based on NTPv3) was shipped
       by default; hence, configuration files based on xntpd may have to
       be modified.


Installation:

1. We reccommend you drop into single user mode to install this SSE
           (though this is not enforced).

        2. Uncompress and extract the SSE into a temporary directory
          of the server (eg. /tmp/sse073).

           # uncompress sse073.tar.Z

           # tar xvf sse073.tar

        3. Execute the install script.  Follow the instructions
          at the prompt.

           # ./install-sse073.sh

           Note: "Warning" messages simply explain that because a
                specific file was not found on the current
                server, it was not replaced.  If a system has
                custom binaries or paths, this patch may not
                succeed.

        4. Clean up.

  A backup of the orginal binaries will be saved in:
              /opt/K/SCO/sse/sse073

           The following files will be left over after patch
          installation and can be removed:

           ./install-sse073.sh
          ./sse073.files.tar

           The following files will be left over after patch
          installation and can be moved to an archival
          directory in case the patches are needed again:

           ./sse073.tar
          ./sse073.doc

Checksums of the packages:

`sum -r ./sse073.tar`: 53459
`sum -r ./sse073.files.tar`: 61075

References:

The vulnerability addressed in this patch was found by:

Przemyslaw Frasunek <venglin@freebsd.lublin.pl>

For more details, see the following BUGTRAQ archive:

http://www.securityfocus.com/archive/1/174011

Disclaimer:

SCO believes that this patch addresses the reported vulnerabilities.
However, in order that it be released as soon as possible, this patch
has not been fully tested or packaged to SCO's normal exacting
standards.  For that reason, this patch is not officially supported.
Official supported and packaged fixes for current SCO products will
be available in due course.

If you have feedback, comments, or additional information about this vulnerability, please send us email.