Red Hat Bugzilla – Bug 34813
CVE-2001-0414 ntpd security hole
Last modified: 2014-01-21 17:48:02 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.3 i686; en-US; 0.8.1)
ntpd security hole allowing the execution of arbitrary code.
Steps to Reproduce:
Run exploit as shown on bugtraq
Actual Results: ntpd crashed. Though said exploit did not successfully
execute /tmp/sh as was expected.
Expected Results: Ntpd to not be affected
Used ntp-4.0.99j-7 with RH7 for testing.
Bugtraq post: http://www.securityfocus.com/archive/1/174011
For the record, FreeBSD has fixed it (and made the exploitation attempts logged) as follows:
As far as I understood (from Bugtraq) this also affects RH 6 xntpd, right?
Logging breakin attempts would be very good, nod.
Created attachment 14723 [details]
Patch for Rawhide ntp-4.0.99k-13 -- that srpmworks apparently if you have RH7 or recent rawhide, RH 6.0 doesn't like it..
Yeah, that's caused by the ugly glibc-2.2 hack (patch0).
But anyway, you should use xntp3 for RHL62 when upgrading. As the name changed,
you might have
a nasty surprise as xntp3 -> ntp upgrade lost the syslevel config ('chkconfig
--list | grep ntp').
Attached is my patch I used for xntp3. Very similar.
Created attachment 14727 [details]
xntp3 (RHL62) patch
we are working on a fix.
Debian checked in security patches yesterday for potato -- you may want to take
a look at the patch.
The debian patch is 100% same. I think it has originated on ntp-hackers list or the like.
ALSO, when creating the errata for xntp3, please also fix the following (possible) problems
(by Jarno Huuskonen):
diff -uNr xntp3-5.93/libntp/msyslog.c xntp3-5.93.sec/libntp/msyslog.c
--- xntp3-5.93/libntp/msyslog.c Tue Aug 12 09:21:29 1997
+++ xntp3-5.93.sec/libntp/msyslog.c Wed Oct 4 19:53:08 2000
@@ -141,7 +141,7 @@
*n++ = '\n';
*n = '\0';
- vsprintf(buf, nfmt, ap);
+ vsnprintf(buf, 1024, nfmt, ap);
#if !defined(VMS) && !defined (SYS_VXWORKS)
diff -uNr xntp3-5.93/xntpd/ntp_io.c xntp3-5.93.sec/xntpd/ntp_io.c
--- xntp3-5.93/xntpd/ntp_io.c Fri Mar 13 03:47:05 1998
+++ xntp3-5.93.sec/xntpd/ntp_io.c Wed Oct 4 19:54:56 2000
@@ -915,7 +915,7 @@
fd, addr->sin_family, (int)ntohs(addr->sin_port),
- msyslog(LOG_ERR, buff);
+ msyslog(LOG_ERR, "%s", buff);
And can RH7.1 ship with a kosher version please:)
I'm not sure I entirely understand how NTP works (I just install it, specify a
server a watch my clock stay in sync) but it would be good if it didn't offer
service to others by default - ie it operated as a client only.
Further, is there any reason the server component needs to run as root? It only
reads the current time, it seems that its only the client that need special
rights (update the system clock)?
The server updates it's own clock too.
Root privileges can be dropped if the capability to change system clock is held
back. This can be
done using kernel capabilities. I've made an RPM package to do this (patch and
part of the
packaging by Chris Wing and Jarno Huuskonen), but it requires kernel >= 2.2.18.
I hope ntp no longer runs as root in future RHL releases.
Well as RedHat needs to ship 2.2.19 anyway (ptrace, plus about 17 other security
fixes) it shouldn't be a problem.
Can you post a link to the patch/package?
Also, as metioned on bugtraq - http://www.securityfocus.com/archive/1/174372
Could RedHat ship with
restrict default ignore
in the ntp.conf by default?
I'm interested how that command _really_ affects the behaviour. Specifically,
I'd like to know whether that command drops the replies to local ntp queries
too or not. And if not, how big the time window there is for someone to spoof
As for the droproot + chroot src.rpm, it's available at
You will also need libcap library from the same location (original from PLD; not
for RHL at this point, but works).
Please also see:
Modified files: (Branch: RELENG_4)
MFC revs 1.3 and 1.4:
- Correct off-by-one error and buffer underflow from previous fix
- int -> unsigned char fixes
- Prevent potential syslog DoS
Bug fixxed, update notices sent, marking resolved.
Relevant upstream patch: