Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » Ntpd privilege escalation

Ntpd privilege escalation

When started with the -u parameter, and passed a group to run as, ntpd will use the primary group of the user and not the provided group.

  • Vendor: NetBSD
  • Vendor ID: 2005-011
  • Date: November 08, 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2005-011
=================================

Topic: ntpd may start with different group id than desired

Version: NetBSD-current: source prior to October 14, 2005
NetBSD 2.1: affected
NetBSD 2.0.3: affected
NetBSD 2.0.2: affected
NetBSD 2.0.1: affected
NetBSD 1.6.*: affected
pkgsrc: ntp packages prior to 4.2.0nb7

Severity: privilege escalation

Fixed: NetBSD-current: October 14, 2005
NetBSD-3 branch: October 14, 2005
(3.0 will include the fix)
NetBSD-2.1 branch: November 1, 2005
(2.1.1 will include the fix)
NetBSD-2.0 branch: November 1, 2005
(2.0.4 will include the fix)
NetBSD-2 branch: November 1, 2005
NetBSD-1.6 branch: November 1, 2005
pkgsrc: ntp-4.2.0nb7 corrects this issue


Abstract
========

When started with the -u parameter, and passed a group to run as, ntpd will
use the primary group of the user and not the provided group.

This vulnerability has been assigned CVE reference CAN-2005-2496.


Technical Details
=================

When invoked with the ``-u user:group'' or ``-u :group'' parameter, with
the group being specified as a group name, ntpd always accessed the
``pw_gid'' member of the credentials for ``user'', instead of the ``gr_gid''
member of the credentials for ``group''.

When both a user and group were specified, this meant ntpd ran with
the group-id being set to the primary group of the user. When only a
group was specified, ntpd would access an uninitialized pointer, which
would result in undefined behavior.

In a worst case scenario, when started with ``-u :group'' it could run
with root privileges. Another vulnerability would then be required to
maliciously exploit those privileges.


Solutions and Workarounds
=========================

The default NetBSD running ntp configuration is not vulnerable to this
bug, since the ntpd user has the correct primary group id.

However, it is recommended that all users of affected versions update their
ntpd to include the fix.

The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd.

* NetBSD-current:

Systems running NetBSD-current dated from before 2005-10-13
should be upgraded to NetBSD-current dated 2005-10-14 or later.

The following file needs to be updated from the
netbsd-current CVS branch (aka HEAD):
src/dist/ntp/ntpd/ntpd.c

To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


* NetBSD 2.*:

Systems running NetBSD 2.* sources dated from before
2005-11-01 should be upgraded from NetBSD 2.* sources dated
2005-11-02 or later.

The following file needs to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
dist/ntp/ntpd/ntpd.c

To update from CVS, re-build, and re-install ntpd:

# cd src
# cvs update -d -P -r netbsd-2 dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


* NetBSD 1.6.*:

Systems running NetBSD 1.6 sources dated from before
2005-11-01 should be upgraded from NetBSD 1.6 sources dated
2005-11-02 or later.

NetBSD 1.6.3 will include the fix.

The following file needs to be updated from the
netbsd-1-6 CVS branch:
dist/ntp/ntpd/ntpd.c

To update from CVS, re-build, and re-install ntpd:

# cd src
# cvs update -d -P -r netbsd-1-6 dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install



Thanks To
=========

Josh Bressers for reporting the bug to Secunia.
Adrian Portelli for reporting the bug to the NetBSD Security Officer.


Revision History
================

2005-11-01 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-011.txt,v 1.6 2005/10/31 22:21:02 dan Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fJ+j5Ru2/4N2IFAQIYnQQAkHVFd+AP/+iNH5hp3Gz308N9G0D+boLu
FtdHGvUZ56YOQvhG+H5vTxse2TyIeV9QkZSfLRLiu+IEx6GaqZKTlOOihIxKjLJ1
Qp/EA1qjFpcGxhJyxwNT2uBKjSXD3lco0bIS94HJ0c3aBO5eRfbaOfsA9/LtjY+s
Gmg3wKQgJbc=
=L/AK
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »