[ntp:security] Re: Concerning a possible bug in the 'ntp' package

David Wagner daw at cs.berkeley.edu
Sat Sep 3 02:02:38 UTC 2005

> Well, while it's all possible, why would anyone who could break in 
> bother to do that. They basically would do a lot more damage elsewhere, 
> though I get your point.

These are locally exploitable attacks.  The attacker has to have a
local account before he can exploit them.  There are two ways that
an attacker might be able to get a local account:

1) Legitimately.  On a multi-user system, the attacker might be a
legal user who has a valid (non-root) account.  These vulnerabilities
show how an attacker with a non-root account can do things to the
system that non-root users should not be able to do.

2) Illegitimately.  The attacker might be able to exploit some hole
in some other service that gives the attacker non-root access to the
system.  The attacker might then follow that up by exploiting the
ntpd vulnerabilities to do extra damage to system files that aren't
writable by that non-root account, effectively gaining root-level
access.  The latter is known as a "privilege escalation" attack.

Here is a good question to ask yourself: Is it your position that ntp is
not intended to be safe to run on any multi-user system, and that users
should never use it on any multi-user system, if they care about security?
If so, it seems like this would be a good thing to mention prominently
in your documentation somewhere.  (I confess I wouldn't have expected
this to be the intent, but only you know what the intent is.)

I apologize if it sounds like I'm giving you a hard time.  I don't really
care what you do about this bug, but it seems like it would be better
if any decision you make is informed by all the facts.  I just want to
make sure you have all the relevant information.

More information about the security mailing list