[20062] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Jan Kluka)
Fri Apr 6 14:19:38 2001
Mail-Followup-To: Jan Kluka <kluka@danka.ii.fmph.uniba.sk>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010406165809.A7355@danka.ii.fmph.uniba.sk>
Date: Fri, 6 Apr 2001 16:58:09 +0200
Reply-To: Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
From: Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.30.0104052001020.21512-100000@shell.inch.com>; from
spork@INCH.COM on Thu, Apr 05, 2001 at 08:03:38PM -0400
On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
...
> Just a quick note to save others a bit of legwork... If you are running
> ntpd on a machine simply as a client, the following line in /etc/ntp.conf
> should keep people away:
>
> restrict default ignore
>
> Before adding this (I actually had the wrong syntax), the exploit crashed
> ntpd. Afterwords, not a blip, and ntpdate shows that ntpd is not
> answering anything...
Time servers which ntpd is synchronized to, are also subjected to the
restriction. So, if this is the only `restrict' in your ntp.conf, it also
prevents synchronization to the time server.
Besides `restrict default ignore' there should be
restrict time.server.address nomodify
for every 'server time.server.address' in your ntp.conf.
Now, ntpd can be crashed/exploited only by evil queries comming from
time.server.address (or by UDP-spoofed queries from anywhere else :-/).
JK
