[ntp:security] [Bug 2672] ::1 can be spoofed. ACLs based on source IP can be bypassed

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Wed Oct 28 10:33:48 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2672

JGhosh <joy.career at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |joy.career at gmail.com

--- Comment #6 from JGhosh <joy.career at gmail.com> 2015-10-28 10:33:48 UTC ---
Hi Harlan,

Myself JGhosh, an open source developer, working on NTP cherry pick integration
from specific Bug 2672 into a FreeBSD private repo.

Would you please kindly confirm the final Bug 2672 Changelist as inline, since
myself manually cherry-picking the commits from github into
FreeBSD private repository, need your kind help on the same.


Thanks in advance.

Reference:

https://github.com/ntp-project/ntp/blob/stable/ChangeLog


$ git log --grep="Sec 2672"
commit e3b048acc50689de3069ff09c272108902d82566
Author:  <stenn at psp-fb1.ntp.org>
Date:   Fri Jan 23 10:29:31 2015 +0000

    [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...

commit 2fb392987ee930becfec6d8843ce96ba9b465dec
Author:  <stenn at psp-deb1.ntp.org>
Date:   Sun Dec 21 01:24:15 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs

commit 9ebcc199749f89056cf0c5acb82bc5256395102c
Author:  <stenn at deacon.udel.edu>
Date:   Fri Dec 19 04:43:15 2014 -0500

    Disable Sec 2672 interim fix for now

commit 96e106df5925c7d4c51b73b2f03ac403e8e1beb2
Author:  <stenn at psp-deb1.ntp.org>
Date:   Thu Dec 18 13:11:35 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs: debug
output tweaking

commit 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
Author:  <stenn at psp-deb1.ntp.org>
Date:   Thu Dec 18 01:18:29 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs




$ git log --stat -p e3b048acc50689de3069ff09c272108902d82566
Author:  <stenn at psp-fb1.ntp.org>
Date:   Fri Jan 23 10:29:31 2015 +0000

    [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...
---
 ChangeLog     |  1 +
 ntpd/ntp_io.c | 22 ++++++++++------------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a115442..32b7b34 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 ---

 * [Bug 2617] Fix sntp Usage documentation section.
+* [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...
 ---
 (4.2.8p1-beta5) 2015/01/07 Released by Harlan Stenn <stenn at ntp.org>

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index f01088d..1ee7098 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3482,26 +3482,24 @@ read_network_packet(
        ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
        */

-       // temporary hack...
        if (AF_INET6 == itf->family) {
-               DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s>
(%d)\n",
+               DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s>
(%d)\n",
                        stoa(&rb->recv_srcadr),
                        IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)),
                        stoa(&itf->sin),
                        !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
                        ));
-       }

-       if (   AF_INET6 == itf->family
-           && IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
-           && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
-          ) {
-               packets_dropped++;
-               DPRINTF(1, ("DROPPING that packet\n"));
-               freerecvbuf(rb);
-               return buflen;
+               if (   IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
+                   && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
+                  ) {
+                       packets_dropped++;
+                       DPRINTF(2, ("DROPPING that packet\n"));
+                       freerecvbuf(rb);
+                       return buflen;
+               }
+               DPRINTF(2, ("processing that packet\n"));
        }
-       DPRINTF(1, ("processing that packet\n"));

        /*
         * Got one.  Mark how and when it got here,





$ git log --stat -p 2fb392987ee930becfec6d8843ce96ba9b465dec
commit 2fb392987ee930becfec6d8843ce96ba9b465dec
Author:  <stenn at psp-deb1.ntp.org>
Date:   Sun Dec 21 01:24:15 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs
---
 ChangeLog     |  1 +
 ntpd/ntp_io.c | 10 ++++------
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4d2ea91..4e31309 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 ---
 (4.2.8) 2014/12/19 Released by Harlan Stenn <stenn at ntp.org>

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index ae00e55..d771cf5 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3450,19 +3450,18 @@ read_network_packet(
        */

        // temporary hack...
-#ifndef HAVE_SOLARIS_PRIVS
        if (AF_INET6 == itf->family) {
                DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s>
(%d)\n",
                        stoa(&rb->recv_srcadr),
-                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr),
+                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr.sa6.sin6_addr),
                        stoa(&itf->sin),
-                       !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+                       !IN6_IS_ADDR_LOOPBACK(&itf->sin.sa6.sin6_addr)
                        ));
        }

        if (   AF_INET6 == itf->family
-           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
-           && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr.sa6.sin6_addr)
+           && !IN6_IS_ADDR_LOOPBACK(&itf->sin.sa6.sin6_addr)
           ) {
                packets_dropped++;
                DPRINTF(1, ("DROPPING that packet\n"));
@@ -3470,7 +3469,6 @@ read_network_packet(
                return buflen;
        }
        DPRINTF(1, ("processing that packet\n"));
-#endif

        /*
         * Got one.  Mark how and when it got here,






$ git log --stat -p 9ebcc199749f89056cf0c5acb82bc5256395102c
commit 9ebcc199749f89056cf0c5acb82bc5256395102c
Author:  <stenn at deacon.udel.edu>
Date:   Fri Dec 19 04:43:15 2014 -0500

    Disable Sec 2672 interim fix for now
---
 ntpd/ntp_io.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index 8be7247..ae00e55 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3449,6 +3449,8 @@ read_network_packet(
        ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
        */

+       // temporary hack...
+#ifndef HAVE_SOLARIS_PRIVS
        if (AF_INET6 == itf->family) {
                DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s>
(%d)\n",
                        stoa(&rb->recv_srcadr),
@@ -3468,6 +3470,7 @@ read_network_packet(
                return buflen;
        }
        DPRINTF(1, ("processing that packet\n"));
+#endif

        /*
         * Got one.  Mark how and when it got here,





commit 96e106df5925c7d4c51b73b2f03ac403e8e1beb2
Author:  <stenn at psp-deb1.ntp.org>
Date:   Thu Dec 18 13:11:35 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs: debug
output tweaking
---
 ntpd/ntp_io.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index aa415cc..8be7247 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3450,8 +3450,12 @@ read_network_packet(
        */

        if (AF_INET6 == itf->family) {
-               DPRINTF(1, ("Got an IPv6 packet, from <%s> to <%s>\n",
-                       stoa(&rb->recv_srcadr), stoa(&itf->sin)));
+               DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s>
(%d)\n",
+                       stoa(&rb->recv_srcadr),
+                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr),
+                       stoa(&itf->sin),
+                       !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+                       ));
        }

        if (   AF_INET6 == itf->family








$ git log --stat -p 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
commit 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
Author:  <stenn at psp-deb1.ntp.org>
Date:   Thu Dec 18 01:18:29 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs
---
 ChangeLog     |  1 +
 ntpd/ntp_io.c | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index f3765a5..de19386 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 * [Sec 2668] buffer overflow in ctl_putdata().
 * [Sec 2669] buffer overflow in configure().
 * [Sec 2670] Missing return; from error clause.
+* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 (4.2.7p485-RC) 2014/12/12 Released by Harlan Stenn <stenn at ntp.org>
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn at ntp.org>
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index eb61ead..aa415cc 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3446,6 +3446,26 @@ read_network_packet(
                    fd, buflen, stoa(&rb->recv_srcadr)));

        /*
+       ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
+       */
+
+       if (AF_INET6 == itf->family) {
+               DPRINTF(1, ("Got an IPv6 packet, from <%s> to <%s>\n",
+                       stoa(&rb->recv_srcadr), stoa(&itf->sin)));
+       }
+
+       if (   AF_INET6 == itf->family
+           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
+           && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+          ) {
+               packets_dropped++;
+               DPRINTF(1, ("DROPPING that packet\n"));
+               freerecvbuf(rb);
+               return buflen;
+       }
+       DPRINTF(1, ("processing that packet\n"));
+
+       /*
         * Got one.  Mark how and when it got here,
         * put it on the full list and do bookkeeping.
         */

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list