System Security Enhancement (SSE) SSE073 - 11-Apr-2001 Problem: A buffer overflow was found by Przemyslaw Frasunek in the NTP daemon. Full exploit details can be found in the BUGTRAQ archive http://www.securityfocus.com/archive/1/174011 On SCO OpenServer 5 Release 5.0.6 systems, the NTP daemon is /etc/ntpd. This exploit doesn't actually "work" on OpenServer. However, a small effect can be observed. To observe the effect, run ntpdc and give it the "ctlstats" command. An exploit attempt registers as an increment of 2 to the "requests received" and "responses sent" counters. Running the fixed version of ntpd, an exploit attempt registers as +2 "requests received", +2 "responses sent", +1 "total bad pkts" and +1 "error msgs sent". We find this difference sufficient to feel confident that the _specific_ problem has been corrected. Patch: The patch is located at: ftp://ftp.sco.com/SSE/sse073.tar.Z ftp://ftp.sco.com/SSE/sse073.ltr This patch is applicable to all releases of OpenServer 5. However, the "install-sse073.sh" program to install the binary can be used on Release 5.0.6 ONLY. This patch contains a replacement for the /etc/ntpd binary in Release 5.0.6. If you wish to use this binary on Releases 5.0.0 up to 5.0.5, you can install the binary manually. Note that on these older releases, /etc/xntpd (based on NTPv3) was shipped by default; hence, configuration files based on xntpd may have to be modified. Installation: 1. We reccommend you drop into single user mode to install this SSE (though this is not enforced). 2. Uncompress and extract the SSE into a temporary directory of the server (eg. /tmp/sse073). # uncompress sse073.tar.Z # tar xvf sse073.tar 3. Execute the install script. Follow the instructions at the prompt. # ./install-sse073.sh Note: "Warning" messages simply explain that because a specific file was not found on the current server, it was not replaced. If a system has custom binaries or paths, this patch may not succeed. 4. Clean up. A backup of the orginal binaries will be saved in: /opt/K/SCO/sse/sse073 The following files will be left over after patch installation and can be removed: ./install-sse073.sh ./sse073.files.tar The following files will be left over after patch installation and can be moved to an archival directory in case the patches are needed again: ./sse073.tar ./sse073.doc Checksums of the packages: `sum -r ./sse073.tar`: 53459 `sum -r ./sse073.files.tar`: 61075 References: The vulnerability addressed in this patch was found by: Przemyslaw Frasunek For more details, see the following BUGTRAQ archive: http://www.securityfocus.com/archive/1/174011 Disclaimer: SCO believes that this patch addresses the reported vulnerabilities. However, in order that it be released as soon as possible, this patch has not been fully tested or packaged to SCO's normal exacting standards. For that reason, this patch is not officially supported. Official supported and packaged fixes for current SCO products will be available in due course.