CVE-2001-0414
published 2001-06-18CVE-2001-0414: Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute…
PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
91.68%
99.8th percentile
Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dave_mills | ntpd | <= 4.0.99k | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | ntpd | — | — |
| dave_mills | xntp3 | — | — |
| dave_mills | xntp3 | — | — |
| dave_mills | xntp3 | — | — |
| dave_mills | xntp3 | — | — |
| dave_mills | xntp3 | — | — |
| dave_mills | xntp3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum=
bytes↗
\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
16 02 00 01 00 00 00 00 00 00 01 36 73 74 72 61 74 75 6d 3d
bytes↗
16 02 00 02 00 00 00 00 00 00 00 00
- →Exploit sends two UDP packets to port 123: first an oversized NTP control packet (512 bytes) with the 'readvar'/'stratum=' prefix to trigger the overflow, then a short null query to trigger execution. Detect anomalously large NTP control messages (mode 6, opcode 2) on UDP/123. ↗
- →Look for NTP control packets (first byte 0x16, second byte 0x02) of exactly 512 bytes on UDP/123 — the exploit always pads the buffer to PKTSIZ=512. ↗
- →The exploit payload contains NOP sled (0x90) bytes filling a 512-byte UDP datagram. Signature: UDP/123 datagram of 512 bytes starting with \x16\x02 and containing large runs of 0x90. ↗
- →The Metasploit module bad-char list for payload encoding is \x00\x01\x02\x16,= — any NTP control packet on UDP/123 containing shellcode should avoid these bytes; use this to tune decoder-aware signatures. ↗
- ·Return addresses are platform-specific; the exploit targets differ between RedHat Linux 7.0 (ntpd 4.0.99j/k) and FreeBSD 4.2-STABLE, so detection based on return address values alone will miss cross-platform variants. ↗
- ·The shellcode executes /tmp/sh (a pre-planted setuid binary) rather than a direct reverse shell in the C PoC; post-exploitation detection should include monitoring for unexpected setuid binaries in /tmp and execution of /tmp/sh. ↗
- ·Cisco IOS and Media Gateway Controller (MGC/BTS 10200/Cisco IP Manager) are also identified as affected; NTP traffic filtering/detection must cover network infrastructure devices, not only Unix hosts. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
NTP Vulnerability
vendor_cisco·2002-05-08
CVE-2001-0414 CWE-119 NTP Vulnerability
NTP Vulnerability
Network Time Protocol (NTP) is used to synchronize time on multiple
devices. A vulnerability has been discovered in the NTP daemon query processing
functionality. This vulnerability has been publicly announced.
The following products are identified as affected by this
vulnerability:
All releases of Cisco IOS software
Media Gateway Controller (MGC) and related products
BTS 10200
Cisco IP Manager
Other Cisco software applications may run on Solaris platforms and
where those products have not specifically been identified, customers should
install security patches regularly in accordance with their normal maintenance
procedures.
Cisco is continuing to research this issue in other products that may
be affected. Unless explicitly stated otherwise, all other produc
Red Hat
ntpd security hole
vendor_redhat·2001-04-04·CVSS 10.0
CVE-2001-0414 [CRITICAL] ntpd security hole
ntpd security hole
Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.
Cisco
NTP Vulnerability
vendor_cisco
CVE-2001-0414 NTP Vulnerability
CVE-2001-0414: NTP Vulnerability
Network Time Protocol (NTP) is used to synchronize time on multiple devices. A vulnerability has been discovered in the NTP daemon query processing functionality. This vulnerability has been publicly announced. The following products are identified as affected by this vulnerability: All releases of Cisco IOS software Media Gateway Controller (MGC) and related products BTS 10200 Cisco IP Manager Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures. Cisco is continuing to research this issue in other products that may be affected. Unless explicitly stated otherwise, all other produ
GHSA
GHSA-xj76-gxv6-j253: Buffer overflow in ntpd ntp daemon 4
ghsa_unreviewed·2022-05-03
CVE-2001-0414 [HIGH] GHSA-xj76-gxv6-j253: Buffer overflow in ntpd ntp daemon 4
Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.
No detection rules found.
Exploit-DB
NTP daemon readvar - Remote Buffer Overflow (Metasploit)
exploitdb·2010-08-25
CVE-2001-0414 NTP daemon readvar - Remote Buffer Overflow (Metasploit)
NTP daemon readvar - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ntp_overflow.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'NTP daemon readvar Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the
ntpd and xntpd service. By sending an overly long 'readvar'
request it is possible to execute code remotely. As the stack
is corrupted, this module uses the Egghunter technique.
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
'Version' => '$Revision: 10150
Exploit-DB
NTPd 4.0.99j-k readvar - Remote Buffer Overflow (Metasploit)
exploitdb·2001-04-04
CVE-2001-0414 NTPd 4.0.99j-k readvar - Remote Buffer Overflow (Metasploit)
NTPd 4.0.99j-k readvar - Remote Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'NTP daemon readvar Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the
ntpd and xntpd service. By sending an overly long 'readvar'
request it is possible to execute code remotely. As the stack
is corrupted, this module uses the Egghunter technique.
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2001-0414' ],
[ 'OSVD
Exploit-DB
NTPd - Remote Buffer Overflow
exploitdb·2001-04-04
CVE-2001-0414 NTPd - Remote Buffer Overflow
NTPd - Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/2540/info
NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'.
On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers.
Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host.
If successful, the attacker may gain root access on the victim host or may denial NTP servi
Metasploit
NTP Daemon readvar Buffer Overflow
metasploit
NTP Daemon readvar Buffer Overflow
NTP Daemon readvar Buffer Overflow
This module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:31.ntpd.ascftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.ascftp://ftp.sco.com/SSE/sse073.ltrftp://ftp.sco.com/SSE/sse074.ltrhttp://archives.neohapsis.com/archives/bugtraq/2001-04/0127.htmlhttp://archives.neohapsis.com/archives/bugtraq/2001-04/0225.htmlhttp://archives.neohapsis.com/archives/bugtraq/2001-04/0314.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000392http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.htmlhttp://marc.info/?l=bugtraq&m=98642418618512&w=2http://marc.info/?l=bugtraq&m=98654963328381&w=2http://marc.info/?l=bugtraq&m=98659782815613&w=2http://marc.info/?l=bugtraq&m=98679815917014&w=2http://marc.info/?l=bugtraq&m=98683952401753&w=2http://marc.info/?l=bugtraq&m=98684202610470&w=2http://marc.info/?l=bugtraq&m=98684532921941&w=2http://www.calderasystems.com/support/security/advisories/CSSA-2001-013.0.txthttp://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3http://www.osvdb.org/805http://www.redhat.com/support/errata/RHSA-2001-045.htmlhttp://www.securityfocus.com/bid/2540https://exchange.xforce.ibmcloud.com/vulnerabilities/6321https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3831https://www.debian.org/security/2001/dsa-045ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:31.ntpd.ascftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.ascftp://ftp.sco.com/SSE/sse073.ltrftp://ftp.sco.com/SSE/sse074.ltrhttp://archives.neohapsis.com/archives/bugtraq/2001-04/0127.htmlhttp://archives.neohapsis.com/archives/bugtraq/2001-04/0225.htmlhttp://archives.neohapsis.com/archives/bugtraq/2001-04/0314.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000392http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.htmlhttp://marc.info/?l=bugtraq&m=98642418618512&w=2http://marc.info/?l=bugtraq&m=98654963328381&w=2http://marc.info/?l=bugtraq&m=98659782815613&w=2http://marc.info/?l=bugtraq&m=98679815917014&w=2http://marc.info/?l=bugtraq&m=98683952401753&w=2http://marc.info/?l=bugtraq&m=98684202610470&w=2http://marc.info/?l=bugtraq&m=98684532921941&w=2http://www.calderasystems.com/support/security/advisories/CSSA-2001-013.0.txthttp://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3http://www.osvdb.org/805http://www.redhat.com/support/errata/RHSA-2001-045.htmlhttp://www.securityfocus.com/bid/2540https://exchange.xforce.ibmcloud.com/vulnerabilities/6321https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3831https://www.debian.org/security/2001/dsa-045
2001-06-18
Published