[ntp:security] Re: Concerning a possible bug in the 'ntp' package

David Wagner daw at cs.berkeley.edu
Sat Sep 3 01:49:06 UTC 2005

> > 1) On platforms that don't have mkstemp(), there may be a TOCTTOU
> > vulnerability in ntpd and ntpsim.  The ntpd and ntpsim programs
> > (ntpdmain() and ntpsim()) call getconfig().  On option CONFIG_BROADCAST,
> > getconfig() calls save_resolve().  On such platforms, save_resolve()
> > executes the following:
> >     (void) mktemp(res_file);
> >     res_fp = fopen(res_file, "w");
> >     ... fprintf(res_fp, ...); ...
> > There are multiple risks here.  One problem is that the filename
> > produced by mktemp() is guessable.  An adversary who guesses the
> > filename will be /tmp/ntpd123456 could set up a symlink
> >     /tmp/ntpd123456 -> some system file
> > and then when save_resolve() calls fopen(), the system file will
> > be overwritten.  If the system file is, say, /etc/shadow, this is
> > not good.
> > 
> If they can do that they can do lots of other things on the box and I 
> think that ntp would be the least of an admin's problems,

Please explain.  I have described how a non-root user, with no special
privileges, can overwrite files like /etc/shadow  (which should not be
accessible to non-root users)  by exploiting a vulnerability in ntpd.
This attack is only possible through ntpd.

I don't know what you mean by "do lots of other things on the box".
The only prerequisite needed to mount this attack is ability to create
symlinks in /tmp, which is something that anyone with a local account
can do.

Yes, it is a vulnerability that requires a local account to exploit.
It is not remotely exploitable.  But I don't understand your characterization
of the vulnerability.

More information about the security mailing list