CVE-2001-0414

ntpd < 4.0.99k - Buffer Overflow via Long readvar Argument

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2001-0414. PoCs published by Metasploit, patrick, babcia padlina ltd, including Metasploit module exploits/multi/ntp/ntp_overflow.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack-based buffer overflow in NTP daemon (ntpd/xntpd) via a malformed 'readvar' request. It uses the Egghunter technique to locate and execute the payload due to stack corruption.

Description

Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16285

This is a Metasploit module exploiting a stack-based buffer overflow in NTP daemon (ntpd/xntpd) via a malformed 'readvar' request. It uses the Egghunter technique to locate and execute the payload due to stack corruption.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NTP daemon (ntpd/xntpd) versions 4.0.99j and 4.0.99k
No auth needed
Prerequisites: Network access to UDP port 123 · Vulnerable NTP daemon version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by patrick · rubyremotelinux
https://www.exploit-db.com/exploits/9940

This exploit targets a stack-based buffer overflow in NTP daemon (ntpd/xntpd) via a malformed 'readvar' request. It uses the Egghunter technique to locate and execute the payload due to stack corruption.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NTP daemon (ntpd/xntpd) versions 4.0.99j and 4.0.99k
No auth needed
Prerequisites: Network access to UDP port 123 · Target running vulnerable NTP daemon
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by babcia padlina ltd · cremotelinux
https://www.exploit-db.com/exploits/20727

This exploit targets a buffer overflow vulnerability in NTPD (CVE-2001-0414) by sending a maliciously crafted UDP packet to execute arbitrary code. It includes platform-specific shellcode to spawn a shell via /tmp/sh and demonstrates remote root access on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NTPD (xntp3/ntp) versions including 4.0.99k
No auth needed
Prerequisites: Network access to vulnerable NTPD service · Ability to send UDP packets to port 123
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ntp/ntp_overflow.rb

This Metasploit module exploits a stack-based buffer overflow in NTP daemon (ntpd/xntpd) via a malformed 'readvar' request. It uses an egghunter technique to achieve remote code execution on vulnerable Linux systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NTP daemon (ntpd/xntpd) versions 4.0.99j and 4.0.99k
No auth needed
Prerequisites: Network access to UDP port 123 · Vulnerable NTP daemon version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (24)

Core 24
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2001-045.html
Various Sources vendor-advisory x_refsource_suse
http://lists.suse.com/archives/suse-security-announce/2001-Apr/0000.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98683952401753&w=2
Patch, Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-036.php3
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98642418618512&w=2
Vendor Advisory vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000392
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98684532921941&w=2
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0127.html
Various Sources vendor-advisory x_refsource_sco
ftp://ftp.sco.com/SSE/sse073.ltr
Various Sources vendor-advisory x_refsource_sco
ftp://ftp.sco.com/SSE/sse074.ltr
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/805
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/2540
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3831
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98659782815613&w=2
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98654963328381&w=2
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98679815917014&w=2
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0314.html
Various Sources vendor-advisory x_refsource_freebsd
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:31.ntpd.asc
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98684202610470&w=2
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2001/dsa-045
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6321
Vendor Advisory vendor-advisory x_refsource_caldera
http://www.calderasystems.com/support/security/advisories/CSSA-2001-013.0.txt

Scores

EPSS 0.9168
EPSS Percentile 99.8%

Details

Status published
Products (18)
dave_mills/ntpd 4.0.99
dave_mills/ntpd 4.0.99a
dave_mills/ntpd 4.0.99b
dave_mills/ntpd 4.0.99c
dave_mills/ntpd 4.0.99d
dave_mills/ntpd 4.0.99e
dave_mills/ntpd 4.0.99f
dave_mills/ntpd 4.0.99g
dave_mills/ntpd 4.0.99h
dave_mills/ntpd 4.0.99i
... and 8 more
Published Jun 18, 2001
Tracked Since Feb 18, 2026