[ntp:questions] Re: "Listen on" semantics

Harlan Stenn stenn at ntp.isc.org
Wed Sep 20 22:30:35 UTC 2006


>>> In article <45110BAE.8040106 at skopos.be>, xntp at skopos.be (Luc Pardon) writes:

Lots of good stuff.

Luc>     Case in point #1: back in 2001, there was a bug in - yes - (x)ntpd
Luc> that allowed remote root access. See, for example:
Luc> http://archive.cert.uni-stuttgart.de/archive/bugtraq/2001/04/msg00064.html

First, please compare this history to other root-running processes and tell
me how (x)ntpd compares.  Especially given the length of time (x)ntpd has
been in the field.

Second, thanks for that URL; as I recall I heard *claims* that a root
exploit was possible but I never saw something that demonstrated it.  I do
recall looking at code that *claimed* to produce a root shell, but neither I
nor any of the folks I talked to was able to reproduce this.

I'll add this to my queue of things to look at, anyway.

Luc>     Case in point #2: only last week, my logs were being flooded
Luc> because somebody sent icmp port unreachable packets to udp/123. Each
Luc> packet is good for about 80 bytes of wasted disk space. A determined
Luc> attacker, starting on Friday evening, could use a high-speed line to
Luc> fill up a multi-gigabyte disk and have free game by Sunday
Luc> afternoon. By that time none of his actions will be logged anymore
Luc> because of disk full. By Monday morning, the sysadmin will scratch his
Luc> head over the "connection refused"'s and may not even know he's been
Luc> hacked.

Fair point, and Real Soon Now we're going to have better configuration
control over logfiles.  And I thought syslog() was pretty good about "Last
message repeated N times".

Regardless, I would like to see all these issues resolved, and I'm happy to
work cooperatively with anybody to see this happen.

H




More information about the questions mailing list