Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Generic)  >   Ntpd Vendors:   Mills, David L. et al
(Debian Patch Available) Re: The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server
SecurityTracker Alert ID:  1001244
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 5 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  

Description:   The Network Time Protocol Daemon (ntpd) shipped with many UNIX/Linux systems is reportedly vulnerable to a remote buffer overflow attack that allows remote users to execute arbitrary code on the server (potentially resulting in super-user access).

The buffer overflow occurs when the daemon is building a response to a remote user's query that contains an overly large readvar argument. Because ntpd typically runs with root-level privileges, this can allow remote attackers to gain root access to the timeserver.

When exploited, the destination buffer is reportedly damaged by the attack, so any arbitrary shell code must be limited to less than approximately 70 bytes.

Code for a demonstration exploit is contained in the source message.

Impact:   A remote user can cause arbitrary code supplied by the remote user to be executed on the target ntpd timeserver. Because ntpd typically runs with root-level privileges, this can result in remote root access being granted to the attacker. Because NTP is based on UDP, spoofing is possible, making protection against attacks more difficult.
Solution:   A patch is available for Debian Linux. See the vendor for more information.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 5 2001 The Network Time Protocol Daemon (ntpd) Allows Remote Users to Execute Arbitrary Code on the Server - Typically to Gain Root Privileges on the Server

 Source Message Contents

Date:  Thu, 5 Apr 2001 16:48:10 +0200
Subject:  [SECURITY] [DSA 045-1] ntp remote root exploit fixed

Hash: SHA1

- ----------------------------------------------------------------------------
Debian Security Advisory DSA-045-1                                             Michael Stone
April 5, 2001
- ----------------------------------------------------------------------------

Package: ntp
Vulnerability: remote root exploit
Debian-specific: no

Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> reported that ntp
daemons such as that released with Debian GNU/Linux are vulnerable to a
buffer overflow that can lead to a remote root exploit. This has been
corrected for Debian 2.2 (potato) in ntp version 4.0.99g-2potato1.

We recommend you upgrade your ntp package immediately.

wget url
	will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 2.2 alias potato
- ------------------------------------

  Potato was released for the alpha, arm, i386, m68k, powerpc and sparc

  Source archives:
      MD5 checksum: f278c5e4a9026241939509a88cab3ea3
      MD5 checksum: 3a9204ca9f9875e4b1a479a48152bf6e
      MD5 checksum: 6f3132fb4f6a3ee411554d09270f562a

  Architecture-independent files:
      MD5 checksum: 01c31ea28c198cc81535aa448e89c7d1
      MD5 checksum: 69290af3b3f49c3e7b9c3f0838cbd553

  Alpha architecture:
      MD5 checksum: 1a5ad39a4bb5a5ccd597fe845bc54b77
      MD5 checksum: 3d203ddef513c34d252e690dcd25bfeb

  ARM architecture:
      MD5 checksum: 6d1b3fb29c146cbcc99067ee078fac50
      MD5 checksum: ffdc0d76e2fffff4db7405d4537a7c8d

  Intel ia32 architecture:
      MD5 checksum: 827e2818b110c776aee4b5bd10c09b86
      MD5 checksum: bde1143db853fe4a8a9f59ff1eff9af4

  Motorola 680x0 architecture:
      MD5 checksum: 001533f2c4742752d45d6dd081b24f73
      MD5 checksum: 46339f3ff8988c5e1d0dd6f9bf7e4998

  PowerPC architecture:
      MD5 checksum: d61af62cc898ce021923bb77c465dde6
      MD5 checksum: 2e0e0692631e5a863c7ff0b8ccb4cdd0

  Sun Sparc architecture:
      MD5 checksum: aa724f09d203b64560949c4f26f92c22
      MD5 checksum: 9736c23f90abb86a6d7ad39f18e7bcc7

  These files will be moved into*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory$arch/ .

- ----------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC