[ntp:security] Re: Concerning a possible bug in the 'ntp' package
daw at cs.berkeley.edu
Sat Sep 3 01:49:06 UTC 2005
> > 1) On platforms that don't have mkstemp(), there may be a TOCTTOU
> > vulnerability in ntpd and ntpsim. The ntpd and ntpsim programs
> > (ntpdmain() and ntpsim()) call getconfig(). On option CONFIG_BROADCAST,
> > getconfig() calls save_resolve(). On such platforms, save_resolve()
> > executes the following:
> > (void) mktemp(res_file);
> > res_fp = fopen(res_file, "w");
> > ... fprintf(res_fp, ...); ...
> > There are multiple risks here. One problem is that the filename
> > produced by mktemp() is guessable. An adversary who guesses the
> > filename will be /tmp/ntpd123456 could set up a symlink
> > /tmp/ntpd123456 -> some system file
> > and then when save_resolve() calls fopen(), the system file will
> > be overwritten. If the system file is, say, /etc/shadow, this is
> > not good.
> If they can do that they can do lots of other things on the box and I
> think that ntp would be the least of an admin's problems,
Please explain. I have described how a non-root user, with no special
privileges, can overwrite files like /etc/shadow (which should not be
accessible to non-root users) by exploiting a vulnerability in ntpd.
This attack is only possible through ntpd.
I don't know what you mean by "do lots of other things on the box".
The only prerequisite needed to mount this attack is ability to create
symlinks in /tmp, which is something that anyone with a local account
Yes, it is a vulnerability that requires a local account to exploit.
It is not remotely exploitable. But I don't understand your characterization
of the vulnerability.
More information about the security