[ntp:hackers] re: [Fwd: [Full-disclosure] ntpd stack evasion 0day exploit]

Danny Mayer mayer at ntp.isc.org
Wed Jan 11 03:32:57 UTC 2006

Paul Vixie wrote:
> i'm not on FD but i've got friends who are.  
> is this a real problem, in current ntpd?  if so, can someone notify CERT
> and get a fix prepared as well as a CERT advisory describing the hole+fix?
> is this a fake problem, in which case, can someone answer it on FD?
> is this an old problem, in which case, can someone put an explaination on
> the WIKI (or whatever) and tell CERT the URL?
> to the extent that ISC is seen helping NTP, you're bound by our reputation,
> which is that we jump all over security issues and cooperate fully with CERT
> and similar bodies and fully disclose everything possible as soon as possible.
> re:


The reference you forwarded references a file called dump_srv.c. That
certainly doesn't exist in the current code-base, though as you know old
code stays around for years, just look at the number of people still
running BIND 4! They also mention ntpd 4.0.99k which shows how old it
was. If this is the exploit that I think it is then that was something
that was a 5 years ago when I was starting work on BIND9. It got me
involved in looking at ntp after I found that the fix after the CERT
came out wouldn't build on Windows. At the time I didn't have the
bandwidth to fix the build. I believe that Mark actually supplied the
fix to this buffer overflow.


More information about the hackers mailing list