| Topic: |
ntpd may start with different group id than desired |
|
|
| Version: |
NetBSD-current: source prior to October 14, 2005
NetBSD 2.1: affected
NetBSD 2.0.3: affected
NetBSD 2.0.2: affected
NetBSD 2.0.1: affected
NetBSD 1.6.*: affected
pkgsrc: ntp packages prior to 4.2.0nb7 |
| Severity: |
privilege escalation |
| Fixed: |
NetBSD-current: October 14, 2005
NetBSD-3 branch: October 14, 2005 (3.0 will include the fix)
NetBSD-2.1 branch: November 1, 2005 (2.1.1 will include the fix)
NetBSD-2.0 branch: November 1, 2005 (2.0.4 will include the fix)
NetBSD-2 branch: November 1, 2005
NetBSD-1.6 branch: November 1, 2005
pkgsrc: ntp-4.2.0nb7 corrects this issue |
Abstract
When started with the -u parameter, and passed a group to run as, ntpd will
use the primary group of the user and not the provided group.
This vulnerability has been assigned CVE reference CAN-2005-2496.
Technical Details
When invoked with the ``-u user:group'' or ``-u :group'' parameter, with
the group being specified as a group name, ntpd always accessed the
``pw_gid'' member of the credentials for ``user'', instead of the ``gr_gid''
member of the credentials for ``group''.
When both a user and group were specified, this meant ntpd ran with
the group-id being set to the primary group of the user. When only a
group was specified, ntpd would access an uninitialized pointer, which
would result in undefined behavior.
In a worst case scenario, when started with ``-u :group'' it could run
with root privileges. Another vulnerability would then be required to
maliciously exploit those privileges.
Solutions and Workarounds
The default NetBSD running ntp configuration is not vulnerable to this
bug, since the ntpd user has the correct primary group id.
However, it is recommended that all users of affected versions update their
ntpd to include the fix.
The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-10-13
should be upgraded to NetBSD-current dated 2005-10-14 or later.
The following file needs to be updated from the
netbsd-current CVS branch (aka HEAD):
src/dist/ntp/ntpd/ntpd.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.*:
Systems running NetBSD 2.* sources dated from before
2005-11-01 should be upgraded from NetBSD 2.* sources dated
2005-11-02 or later.
The following file needs to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
dist/ntp/ntpd/ntpd.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P -r netbsd-2 dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6.*:
Systems running NetBSD 1.6 sources dated from before
2005-11-01 should be upgraded from NetBSD 1.6 sources dated
2005-11-02 or later.
NetBSD 1.6.3 will include the fix.
The following file needs to be updated from the
netbsd-1-6 CVS branch:
dist/ntp/ntpd/ntpd.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P -r netbsd-1-6 dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
Josh Bressers for reporting the bug to Secunia.
Adrian Portelli for reporting the bug to the NetBSD Security Officer.
Revision History
2005-11-01 Initial release
More Information
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/
and
http://www.NetBSD.org/Security/ .
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form. |
Security Advisory 
Postfix - "Krok po kroku" v1.1
sdi.sh
uEagle 1.0p1
