cbcvebase.
CVE-2001-0414
published 2001-06-18

CVE-2001-0414: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute…

PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
91.68%
99.8th percentile
Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.

Affected

18 ranges
VendorProductVersion rangeFixed in
dave_millsntpd<= 4.0.99k
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsntpd
dave_millsxntp3
dave_millsxntp3
dave_millsxntp3
dave_millsxntp3
dave_millsxntp3
dave_millsxntp3

Detection & IOCsextracted from sources · hover to see the quote

port123/udp
bytes
\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum=
bytes
\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00
bytes
16 02 00 01 00 00 00 00 00 00 01 36 73 74 72 61 74 75 6d 3d
bytes
16 02 00 02 00 00 00 00 00 00 00 00
  • Exploit sends two UDP packets to port 123: first an oversized NTP control packet (512 bytes) with the 'readvar'/'stratum=' prefix to trigger the overflow, then a short null query to trigger execution. Detect anomalously large NTP control messages (mode 6, opcode 2) on UDP/123.
  • Look for NTP control packets (first byte 0x16, second byte 0x02) of exactly 512 bytes on UDP/123 — the exploit always pads the buffer to PKTSIZ=512.
  • The exploit payload contains NOP sled (0x90) bytes filling a 512-byte UDP datagram. Signature: UDP/123 datagram of 512 bytes starting with \x16\x02 and containing large runs of 0x90.
  • The Metasploit module bad-char list for payload encoding is \x00\x01\x02\x16,= — any NTP control packet on UDP/123 containing shellcode should avoid these bytes; use this to tune decoder-aware signatures.
  • ·Return addresses are platform-specific; the exploit targets differ between RedHat Linux 7.0 (ntpd 4.0.99j/k) and FreeBSD 4.2-STABLE, so detection based on return address values alone will miss cross-platform variants.
  • ·The shellcode executes /tmp/sh (a pre-planted setuid binary) rather than a direct reverse shell in the C PoC; post-exploitation detection should include monitoring for unexpected setuid binaries in /tmp and execution of /tmp/sh.
  • ·Cisco IOS and Media Gateway Controller (MGC/BTS 10200/Cisco IP Manager) are also identified as affected; NTP traffic filtering/detection must cover network infrastructure devices, not only Unix hosts.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.