[ntp:security] [Bug 1300] savecfg allows writes to any part of the filesystem

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Fri Sep 11 23:57:47 UTC 2009


http://bugs.ntp.org/1300



----------------------------------------------------------------------------
Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-09-11 23:57

(In reply to comment #8)
> Keys very often go over the wire, just not in the ntpq packet. See the
> discussion of key distribution in the autokey docs. And the ntpq packets do 
> have the timestamps, but I doubt very much that they are checked.

Not all keys are created equal.  The autokey keys that are distributed out of 
band are not MD5 keys that can be used with ntpq, they are certificates that are 
used to verify autokey group membership and secure the negotiation of the seed 
value used to generate MD5 session keys.  I see zero relationship to this issue.

> I am not saying that sniffing the ntpq packet will let you issue a different
> command. I am saying that this makes the keys that were formerly of low value 
> so as to be freely passed around now suddenly of very high value. In many
> cases all of the servers clients will have keys. A common configuration idiom
> (the one I gave several messages back) will result in any of the clients being 
> able to brickify the server. 

I'm not sure if you're talking about symmetric MD5 keys found in the keyfile, or 
autokey group keys.  If you are referring to symmetric MD5 keys, is your common 
configuration idiom to use the same keyid for controlkey/requestkey that you 
share with symmetric peers/clients/servers (listed on the association line with 
keyid)?  That's the only way a widely-distributed key could be used with ntpq 
remote configuration.

Moreover, there is nothing new with saveconfig here.  If I can overwrite a 
critical file using saveconfig, I can also overwrite it using "logfile" or a 
combination of "enable stats", "statsdir", and "filegen".

-- 
Dave Hart <hart at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list