[20051] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow]
daemon@ATHENA.MIT.EDU (Christopher McCrory)
Fri Apr 6 04:31:38 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <3ACBEA83.8090801@pricegrabber.com>
Date: Wed, 4 Apr 2001 20:46:11 -0700
Reply-To: Christopher McCrory <chrismcc@PRICEGRABBER.COM>
From: Christopher McCrory <chrismcc@PRICEGRABBER.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello...
In this message I was replying to a co-worker, but others might benefit.
you wrote:
> I use the following code snippet in my /etc/rc.d/rc.firewall code
which runs
> whenever I start my machine:
>
> #
> # NTP from SPECIFIC SERVERS. Make sure to re-run /etc/rc.d/rc.firewall
> # if you change the list of these servers, as we don't want to provide
> # NTP to other clients that aren't us.
> #
> for i in `awk '/^server/ && !/127.127.1.0/ {print $2}' /etc/ntp.conf`; do
> $IPCHAINS -A input -i $EXTERNALIF -p udp -s $i/32 -d $EXTERNALIP/32
ntp -j
> ACCEPT
> done
>
> =================
>
> The above causes the server to only pay attention to NTP traffic
originating
> from known servers in my /etc/ntp.conf file. (The default is to DENY all
> unknown traffic.) But because it's a good idea ot fix this sort of
problem
> generally, I'll look for a patch from RedHat. Thanks for the update.
>
Four years ago spoofing a tcp connection was hard, but not
impossible. Today it is, in practice, impossible due to real (not
psuedo) random sequence numbers. Spoofing a udp session is still easy
due to it's conectionless properties. The NTP protocol uses udp. There
aren't _that_ many stratum 1 and 2 ntp servers. The sample code
executed "/tmp/sh", but there is no reason it couldn't execute
"/sbin/ipchains --flush". Followed by a 'real' exploit.
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
"Linux: Because rebooting is for adding new hardware"
