From owner-freebsd-security  Wed Apr  4 21:41:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235])
	by hub.freebsd.org (Postfix) with ESMTP id EB1F837B42C
	for <freebsd-security@FreeBSD.ORG>; Wed,  4 Apr 2001 21:41:21 -0700 (PDT)
	(envelope-from sreid@sea-to-sky.net)
Received: by grok.example.net (Postfix, from userid 1000)
	id 02F2A21334A; Wed,  4 Apr 2001 21:41:20 -0700 (PDT)
Date: Wed, 4 Apr 2001 21:41:20 -0700
From: Steve Reid <sreid@sea-to-sky.net>
To: Michael Bryan <fbsd-secure@ursine.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow
Message-ID: <20010404214120.B22906@grok.bc.hsia.telus.net>
References: <3ACBB263.2804E9C2@ursine.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <3ACBB263.2804E9C2@ursine.com>; from Michael Bryan on Wed, Apr 04, 2001 at 04:46:43PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Apr 04, 2001 at 04:46:43PM -0700, Michael Bryan wrote:
> From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
> Subject: ntpd =< 4.0.99k remote buffer overflow
> To: BUGTRAQ@SECURITYFOCUS.COM
> /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */

I'm not an ntpd guru by any means, but I have this in my
/etc/ntpd.conf:

restrict 127.0.0.1
restrict default noquery nomodify notrap nopeer

The exploit crashes my ntpd when run locally, but not when run
remotely. Tcpdump confirms that the remote packets are arriving.

I _think_ those restrict lines permit full access to localhost, but
limit external stuff to ntp query responses. That should be suitable
for the typical box that just wants to keep it's clock synchronized.
It's probably possible to improve upon that configuration; I barely
understood ntpd configuration when I created that ntpd.conf and have
forgotten what little I did learn.

It is possible to spoof 127.0.0.1 if you don't have a firewall blocking
such bogons. I think excluding the "restrict 127.0.0.1" line should
eliminate that hole.

A proper patch should be applied of course, but I think this goes to
show that tightening a configuration is generally good practice. This
is especially true for network daemons that must run as root for their
whole life, and especially true for network daemons that are as
feature-rich (see the man page for details) as ntpd.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message