安全研究

安全漏洞
NTP ntpd守护程序Autokey栈溢出漏洞

发布日期:2009-05-18
更新日期:2009-05-19

受影响系统:
University of Delaware NTP 4.2.x
不受影响系统:
University of Delaware NTP 4.2.5 p74
University of Delaware NTP 4.2.4 p7
描述:
BUGTRAQ  ID: 35017
CVE(CAN) ID: CVE-2009-1252

NTP(Network Time Protocol)是用于通过网络同步计算机时钟的协议。

如果编译了OpenSSL支持的话,NTP守护程序ntpd中可能出现栈溢出漏洞,起因是ntpd/ntp_crypto.c文件中的crypto_recv()函数使用了sprintf()。如果将ntpd配置为使用autokey的话,就可以到达有漏洞的代码。远程攻击者就可以通过发送特制的请求报文来触发这个溢出,导致ntpd崩溃或以ntp用户权限执行任意指令。

<*来源:Harland Stenn
  
  链接:http://www.kb.cert.org/vuls/id/853097
        http://secunia.com/advisories/35130/
        https://www.redhat.com/support/errata/RHSA-2009-1040.html
        https://www.redhat.com/support/errata/RHSA-2009-1039.html
        http://www.debian.org/security/2009/dsa-1801
        http://security.gentoo.org/glsa/glsa-200905-08.xml
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-09:11.ntpd.asc
*>

建议:
临时解决方法:

* 从ntp.conf文件中删除crypto pw password行。

厂商补丁:

Debian
------
Debian已经为此发布了一个安全公告(DSA-1801-1)以及相应补丁:
DSA-1801-1:New ntp packages fix several vulnerabilities
链接:http://www.debian.org/security/2009/dsa-1801

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3.dsc
Size/MD5 checksum:      906 8a1376e7b9883a31aeef2b242cddafb3
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg.orig.tar.gz
Size/MD5 checksum:  2199764 ad746cda2d90dbb9ed06fe164273c5d0
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3.diff.gz
Size/MD5 checksum:   182790 1bef0f3e23bc046d7c70b60f257abce8

Architecture independent packages:

http://security.debian.org/pool/updates/main/n/ntp/ntp-refclock_4.2.2.p4+dfsg-2etch3_all.deb
Size/MD5 checksum:    28068 980216d8940c6f35ef734e8b4696bedb
http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.2.p4+dfsg-2etch3_all.deb
Size/MD5 checksum:   909142 a4f0b0390ef1d8ea3b42e9f79aa6419c
http://security.debian.org/pool/updates/main/n/ntp/ntp-simple_4.2.2.p4+dfsg-2etch3_all.deb
Size/MD5 checksum:    28070 1a62301f74fc9ef23e73b86b168995d1

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_alpha.deb
Size/MD5 checksum:    64896 334da9b0c10e3d061d40313cff2f4aba
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_alpha.deb
Size/MD5 checksum:   407926 2ea4e315e61be332e2799152d117828f

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_amd64.deb
Size/MD5 checksum:   359278 206749f2d5cddbb47f43cadf031200f6
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_amd64.deb
Size/MD5 checksum:    61468 d7c76761a5b81efc6ad09d7339c65f65

arm architecture (ARM)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_arm.deb
Size/MD5 checksum:    59472 b7e6f73ba7ecc1b950f5ce4b8713bbc8
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_arm.deb
Size/MD5 checksum:   343500 918b4ed05ccc9beef8b17ed820076736

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_hppa.deb
Size/MD5 checksum:    62008 718ac291a6d5bd5cee16da1ba332277a
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_hppa.deb
Size/MD5 checksum:   372266 a8801148122304f201143b3c83212ef1

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_i386.deb
Size/MD5 checksum:    58244 1e2645f55d880f0b32b189c788a6fa6e
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_i386.deb
Size/MD5 checksum:   330784 2cffe9ce5766d3b3a7dd716451f9940d

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_ia64.deb
Size/MD5 checksum:    74564 11dc5d9603aa107736e25e73a999fed9
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_ia64.deb
Size/MD5 checksum:   523190 4b92e21247b790d31d87cae43288860e

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_mips.deb
Size/MD5 checksum:   382548 7ebe4c29857af28a1d0d47341c03ed9f
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_mips.deb
Size/MD5 checksum:    63444 1479ed9849e0da2119fedd3c07ef0c6e

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_mipsel.deb
Size/MD5 checksum:   390040 7338922ec7c8a810374913a5440b84c8
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_mipsel.deb
Size/MD5 checksum:    63986 63cf40dbea34d855dfa0b4dcab148753

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_powerpc.deb
Size/MD5 checksum:   358710 14eebc6b0f1b5566398761c0e9387e06
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_powerpc.deb
Size/MD5 checksum:    61548 6f7d62dbce9a7e476c5740556e05adbe

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_s390.deb
Size/MD5 checksum:    61102 1cbb204bb34886adaf67f65add882fb6
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_s390.deb
Size/MD5 checksum:   350088 2a27fe8eaedfac99221d0e0958750b69

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_sparc.deb
Size/MD5 checksum:    58438 3c247f0d8b30fd8eb287fbf5429bb25a
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_sparc.deb
Size/MD5 checksum:   332082 4506ffc7cdbc545decc4ebd726cc0fb3

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz
Size/MD5 checksum:  2835029 dc2b3ac9cc04b0f29df35467514c9884
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2.diff.gz
Size/MD5 checksum:   300806 7b70febe5a8b2731da1f6bc60e7095e6
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2.dsc
Size/MD5 checksum:     1459 b72ceb69656ba2fe3374e7a793c8c2c0

Architecture independent packages:

http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.4p4+dfsg-8lenny2_all.deb
Size/MD5 checksum:   929700 36d1605577c6243875f4e35d9c40c9e8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_alpha.deb
Size/MD5 checksum:    66636 f732a56b27be857f1a4ae7bde9bac056
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_alpha.deb
Size/MD5 checksum:   537528 32e7a25e224daeb2a4c3e3b8bdd88006

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_amd64.deb
Size/MD5 checksum:    63726 39a38d2d30352145617b63b0f1808832
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_amd64.deb
Size/MD5 checksum:   480718 88defc4b9564804bac6c0d1b91b4207b

arm architecture (ARM)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_arm.deb
Size/MD5 checksum:   448040 2512a1f1d5f1af9484d3c02cef012aed
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_arm.deb
Size/MD5 checksum:    61078 89dbb40bd4aa2644572e90de539733c7

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_armel.deb
Size/MD5 checksum:    62376 6c47db082b725923eaa4b54b0ea3e090
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_armel.deb
Size/MD5 checksum:   458818 9339249185118e58f3575e43d0da862f

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_hppa.deb
Size/MD5 checksum:   485606 005701aa3a2f141f996d1cc6c69154a8
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_hppa.deb
Size/MD5 checksum:    63698 a28856e22f368954f6a61de73815b204

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_i386.deb
Size/MD5 checksum:   432098 b237d149bc205c7d644cf0b891cbae4e
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_i386.deb
Size/MD5 checksum:    60078 2a661bfaf8dd05ec49c39b27fe44a5d2

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_ia64.deb
Size/MD5 checksum:    76208 aba226d105228a2be266a2eb9aa97aeb
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_ia64.deb
Size/MD5 checksum:   707612 1d676bd6a79da49a32f28b756c074c8d

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_mips.deb
Size/MD5 checksum:   488812 8c95d2d99443cffd777a9ec175fda92d
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_mips.deb
Size/MD5 checksum:    64026 3401aa68f558315d3fa4a397444ae375

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_mipsel.deb
Size/MD5 checksum:   500628 c78913c3cb8b36474f7bb884facf2caa
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_mipsel.deb
Size/MD5 checksum:    64614 96a808c0dcd3f0189ac5b12bc35b1616

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_powerpc.deb
Size/MD5 checksum:   490410 ed37bad3d4586ca982f1884ebecca859
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_powerpc.deb
Size/MD5 checksum:    65298 bb30faf8ab938a762e3e6eef61dd5be1

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_s390.deb
Size/MD5 checksum:   473862 d4cdb4b995504b0037b41bffee80f6da
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_s390.deb
Size/MD5 checksum:    63476 b6f43878943e279469da4e4b5f9841a9

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_sparc.deb
Size/MD5 checksum:   440966 94363f0f4b0a3681601553e70f3549e5
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_sparc.deb
Size/MD5 checksum:    60640 dcfd2724e17a9ed85620d0153eb55eac

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-09:11)以及相应补丁:
FreeBSD-SA-09:11:ntpd stack-based buffer-overflow vulnerability
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-09:11.ntpd.asc

补丁下载:
1) 将有漏洞的系统升级到6-STABLE或7-STABLE,或修改日期之后的RELENG_7_2、RELENG_7_1、RELENG_6_4或RELENG_6_3安全版本。

2) 为当前系统打补丁:

以下补丁确认可应用于FreeBSD 6.3、6.4、7.1和7.2系统。

a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名。

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch.asc

[FreeBSD 6.4 and 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch.asc

b) 以root执行以下命令:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2009:1039-01)以及相应补丁:
RHSA-2009:1039-01:Important: ntp security update
链接:https://www.redhat.com/support/errata/RHSA-2009-1039.html

Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200905-08)以及相应补丁:
GLSA-200905-08:NTP: Remote execution of arbitrary code
链接:http://security.gentoo.org/glsa/glsa-200905-08.xml

所有NTP用户都应升级到最新版本:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=3Dnet-misc/ntp-4.2.4_p7"

University of Delaware
----------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.ntp.org/downloads.html

浏览次数:4808
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客