[ntp:security] [Bug 1300] New: savecfg allows writes to any part of the filesystem

Danny Mayer via the NTP Bugzilla bugzilla at ntp.org
Tue Sep 8 11:55:50 UTC 2009


           Summary: savecfg allows writes to any part of the filesystem
           Product: ntp
           Version: 4.2.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P1
         Component: ntpd
        AssignedTo: stenn at ntp.org
        ReportedBy: mayer at ntp.org
                CC: security at ntp.org

The savecfg command from ntpq allows it to write the config file to any location
in the filesystem and is a major security hole since the daemon is frequently
running as root. Among other possibilities it can overwrite /etc/passwd, boot,
/etc/nsswitch.conf, etc plus /etc/nologin all of which would prevent user access
to the system, allow reboots, destroy files at random etc.

Brian Utterback and I have been discussing this to come up with a solution.
However, since ntpq only uses MD5 for sending the password when issuing such
commands, ntpq should be considered to have no security whatsoever. One
possibility is to not allow ntpq to write at all to the filesystem. Another is
to create an ntpdir keyword which if enabled allow you to save to the filesystem
but such a keyword would not be allowed to be modified remotely. Another option
is to specify a specific directory to write the file and disallow any paths in
the file specification for the dump file. Such a directory could not be changed

Similarly the statsdir should not be remotely modifiable.

With the current setup and an attack on infrastructure via ntpq is trivial and
MD5 cannot be consider a security measure.

Danny Mayer <mayer at ntp.org>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list