NTP ntpd/ntp_crypto.c crypto_recv() Function Remote Overflow

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote host is running a time server with a remote buffer overflow
vulnerability.

Description :

According to its self-reported version number, the version of ntpd
running on the remote host has a stack-based buffer overflow
vulnerability. The vulnerability is in the 'crypto_recv()' function of
'ntpd/ntp_crypto.c'. This could allow a remote attacker to crash the
service or execute arbitrary code.

Note : this issue is only exploitable if ntpd was compiled with
OpenSSL support and has autokey authentication enabled. The presence
of the following line in ntp.conf indicates a vulnerable system :

crypto pw *password*

Nessus did not check if the system is configured in this manner.

See also :

https://bugs.ntp.org/show_bug.cgi?id=1151

Solution :

Upgrade to ntpd version 4.2.4p7 / 4.2.5p74 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Gain a shell remotely

Nessus Plugin ID: 38831 ()

Bugtraq ID: 35017

CVE ID: CVE-2009-1252