Date: Wed, 4 Apr 2001 21:41:20 -0700 From: Steve Reid <sreid@sea-to-sky.net> To: Michael Bryan <fbsd-secure@ursine.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: ntpd =< 4.0.99k remote buffer overflow Message-ID: <20010404214120.B22906@grok.bc.hsia.telus.net> In-Reply-To: <3ACBB263.2804E9C2@ursine.com>; from Michael Bryan on Wed, Apr 04, 2001 at 04:46:43PM -0700 References: <3ACBB263.2804E9C2@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 04, 2001 at 04:46:43PM -0700, Michael Bryan wrote: > From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL> > Subject: ntpd =< 4.0.99k remote buffer overflow > To: BUGTRAQ@SECURITYFOCUS.COM > /* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */ I'm not an ntpd guru by any means, but I have this in my /etc/ntpd.conf: restrict 127.0.0.1 restrict default noquery nomodify notrap nopeer The exploit crashes my ntpd when run locally, but not when run remotely. Tcpdump confirms that the remote packets are arriving. I _think_ those restrict lines permit full access to localhost, but limit external stuff to ntp query responses. That should be suitable for the typical box that just wants to keep it's clock synchronized. It's probably possible to improve upon that configuration; I barely understood ntpd configuration when I created that ntpd.conf and have forgotten what little I did learn. It is possible to spoof 127.0.0.1 if you don't have a firewall blocking such bogons. I think excluding the "restrict 127.0.0.1" line should eliminate that hole. A proper patch should be applied of course, but I think this goes to show that tightening a configuration is generally good practice. This is especially true for network daemons that must run as root for their whole life, and especially true for network daemons that are as feature-rich (see the man page for details) as ntpd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010404214120.B22906>