NTP ntpd/ntp_crypto.c crypto_recv() Function Remote Overflow

This script is Copyright (C) 2009-2015 Tenable Network Security, Inc.


Synopsis :

The remote host is running a time server that is affected by a remote
buffer overflow vulnerability.

Description :

According to its self-reported version number, the version of ntpd
running on the remote host is affected by a stack-based buffer
overflow vulnerability due to the use of sprintf() in the
crypto_recv() function in ntpd/ntp_crypto.c. A remote, unauthenticated
attacker can exploit this to cause a denial of service condition or to
execute arbitrary code.

Note that this issue is only exploitable if ntpd was compiled with
OpenSSL support, and autokey authentication is enabled. The presence
of the following line in ntp.conf indicates a vulnerable system :

crypto pw *password*

Nessus did not check if the system is configured in this manner.

See also :

https://bugs.ntp.org/show_bug.cgi?id=1151

Solution :

Upgrade to ntpd version 4.2.4p7 / 4.2.5p74 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Gain a shell remotely

Nessus Plugin ID: 38831 ()

Bugtraq ID: 35017

CVE ID: CVE-2009-1252