[ntp:hackers] ntpd: step_systime() and the years 2036 / 2038

juergen perlinger juergen.perlinger at t-online.de
Tue Aug 16 19:31:59 UTC 2011


On 08/16/2011 09:05 PM, Terje Mathisen wrote:

<snip>
> Exactly right:
>
> When an attacker is already root, the ability to hack ntpd doesn't
> provide any additional risks: Root can always just set the time/date
> to whatever she likes, no need to modify ntpd (recompile and/or touch)
> to do it for you. I assume ntpd will be installed with sufficient
> protections to make it impossible for anyone except root to either
> replace it or touch the file timestamp.

I totally agree: Once root is compromised, everything is possible.

But I think there's a difference in the quality (read: meanness) of the
attack if you could touch ntpd into the future: It leaves a landmine
that is probably not triggered until ntpd restarts. Just changing the
time has an immediate effect and might be easier to track, not to
mention to clean up.

And unless you immediately remember to check the file date of ntpd, the
mine is even self-reloading and ready to blast again...

cheers,
    pearly



More information about the hackers mailing list