From owner-freebsd-security Wed Apr 4 21:41:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id EB1F837B42C for ; Wed, 4 Apr 2001 21:41:21 -0700 (PDT) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 02F2A21334A; Wed, 4 Apr 2001 21:41:20 -0700 (PDT) Date: Wed, 4 Apr 2001 21:41:20 -0700 From: Steve Reid To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Message-ID: <20010404214120.B22906@grok.bc.hsia.telus.net> References: <3ACBB263.2804E9C2@ursine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <3ACBB263.2804E9C2@ursine.com>; from Michael Bryan on Wed, Apr 04, 2001 at 04:46:43PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 04, 2001 at 04:46:43PM -0700, Michael Bryan wrote: > From: Przemyslaw Frasunek > Subject: ntpd =< 4.0.99k remote buffer overflow > To: BUGTRAQ@SECURITYFOCUS.COM > /* ntpd remote root exploit / babcia padlina ltd. */ I'm not an ntpd guru by any means, but I have this in my /etc/ntpd.conf: restrict 127.0.0.1 restrict default noquery nomodify notrap nopeer The exploit crashes my ntpd when run locally, but not when run remotely. Tcpdump confirms that the remote packets are arriving. I _think_ those restrict lines permit full access to localhost, but limit external stuff to ntp query responses. That should be suitable for the typical box that just wants to keep it's clock synchronized. It's probably possible to improve upon that configuration; I barely understood ntpd configuration when I created that ntpd.conf and have forgotten what little I did learn. It is possible to spoof 127.0.0.1 if you don't have a firewall blocking such bogons. I think excluding the "restrict 127.0.0.1" line should eliminate that hole. A proper patch should be applied of course, but I think this goes to show that tightening a configuration is generally good practice. This is especially true for network daemons that must run as root for their whole life, and especially true for network daemons that are as feature-rich (see the man page for details) as ntpd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message