[20087] in bugtraq
Re: ntpd =< 4.0.99k remote buffer overflow
daemon@ATHENA.MIT.EDU (Buhrmaster, Gary)
Mon Apr 9 03:33:22 2001
Content-return: allowed
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
Message-ID: <76A109862EAED4119176009027EECD1E19AE50@AGAMEMNON.SLAC.Stanford.EDU>
Date: Fri, 6 Apr 2001 12:00:42 -0700
Reply-To: "Buhrmaster, Gary" <gtb@SLAC.STANFORD.EDU>
From: "Buhrmaster, Gary" <gtb@SLAC.STANFORD.EDU>
X-To: Jan Kluka <kluka@DANKA.II.FMPH.UNIBA.SK>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
I believe, for most implementations, that for all
clients you can do a
restrict default ignore
restrict <time1.server.ip> noquery nomodify notrap nopeer
restrict <time2.server.ip> noquery nomodify notrap nopeer
to eliminate most exposure from the reported overflow.
On your (local) time masters, you would have to do something
like
restrict default ignore
restrict <your.network> mask <your.netmask> noquery nomodify notrap nopeer notrust
restrict <higher_stratum.server1.ip> noquery nomodify notrap
restrict <higher_stratum.server2.ip> noquery nomodify notrap
You will also have to specify the time servers by IP address,
and you will need to include the "special" ip address of
127.127.1.0 if you use fallback to the local clock.
Gary
> -----Original Message-----
> From: Jan Kluka [mailto:kluka@DANKA.II.FMPH.UNIBA.SK]
> Sent: Friday, April 06, 2001 7:58 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: ntpd =< 4.0.99k remote buffer overflow
>
>
> On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
> ...
> > Just a quick note to save others a bit of legwork... If
> you are running
> > ntpd on a machine simply as a client, the following line in
> /etc/ntp.conf
> > should keep people away:
> >
> > restrict default ignore
> >
> > Before adding this (I actually had the wrong syntax), the
> exploit crashed
> > ntpd. Afterwords, not a blip, and ntpdate shows that ntpd is not
> > answering anything...
>
> Time servers which ntpd is synchronized to, are also subjected to the
> restriction. So, if this is the only `restrict' in your
> ntp.conf, it also
> prevents synchronization to the time server.
>
> Besides `restrict default ignore' there should be
>
> restrict time.server.address nomodify
>
> for every 'server time.server.address' in your ntp.conf.
>
> Now, ntpd can be crashed/exploited only by evil queries comming from
> time.server.address (or by UDP-spoofed queries from anywhere
> else :-/).
>
> JK
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQCVAwUBOs4SXaaU9msY3cptAQFuYQP7BuvlvUUX9VarG3M7BV1FiY371OjAyut/
BIDNSh+55JAu5U8h2Xp0b1FonyTHFsSafE4ejFkieAnkHpE/VtB+NNS9yRBwKQUu
P8HCcxEP4kW1k7FDOJCqtnOrORIsh3GqRtrf9GFjiofUelUOvaI2rF1ImsCtakcb
hRBCwv3cIC0=
=john
-----END PGP SIGNATURE-----
