[ntp:security] [Bug 1300] savecfg allows writes to any part of the filesystem

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Fri Sep 11 00:10:55 UTC 2009


Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-09-11 00:10

I don't think it's fair to say authenticated ntpq should be considered to have 
no security.  ntpq doesn't send the password, it signs the packet using the 
password as the MD5 key.  I suspect it's vulnerable to replay, but not to 
discovering the password trivially.

Re: Steve's comment #2, the original implementation by Max Kühn allowed 
overwriting any path, and didn't require authentication.  Before committing it 
initially (when it was known as dumpcfg) I changed it to restrict the output to 
/var/tmp on unix and %TEMP% on Windows without requiring authentication for ease 
of testing.  A bit later I changed it to require authentication and removed the 
path restriction (at the same time it was renamed saveconfig).

Dave Hart <hart at ntp.org>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list