OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Buhrmaster, Gary (gtbSLAC.STANFORD.EDU)
Date: Fri Apr 06 2001 - 14:00:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    I believe, for most implementations, that for all
    clients you can do a

       restrict default ignore
       restrict <time1.server.ip> noquery nomodify notrap nopeer
       restrict <time2.server.ip> noquery nomodify notrap nopeer

    to eliminate most exposure from the reported overflow.

    On your (local) time masters, you would have to do something
    like

       restrict default ignore
       restrict <your.network> mask <your.netmask> noquery nomodify notrap nopeer notrust
       restrict <higher_stratum.server1.ip> noquery nomodify notrap
       restrict <higher_stratum.server2.ip> noquery nomodify notrap

    You will also have to specify the time servers by IP address,
    and you will need to include the "special" ip address of
    127.127.1.0 if you use fallback to the local clock.

    Gary

    > -----Original Message-----
    > From: Jan Kluka [mailto:klukaDANKA.II.FMPH.UNIBA.SK]
    > Sent: Friday, April 06, 2001 7:58 AM
    > To: BUGTRAQSECURITYFOCUS.COM
    > Subject: Re: ntpd =< 4.0.99k remote buffer overflow
    >
    >
    > On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
    > ...
    > > Just a quick note to save others a bit of legwork... If
    > you are running
    > > ntpd on a machine simply as a client, the following line in
    > /etc/ntp.conf
    > > should keep people away:
    > >
    > > restrict default ignore
    > >
    > > Before adding this (I actually had the wrong syntax), the
    > exploit crashed
    > > ntpd. Afterwords, not a blip, and ntpdate shows that ntpd is not
    > > answering anything...
    >
    > Time servers which ntpd is synchronized to, are also subjected to the
    > restriction. So, if this is the only `restrict' in your
    > ntp.conf, it also
    > prevents synchronization to the time server.
    >
    > Besides `restrict default ignore' there should be
    >
    > restrict time.server.address nomodify
    >
    > for every 'server time.server.address' in your ntp.conf.
    >
    > Now, ntpd can be crashed/exploited only by evil queries comming from
    > time.server.address (or by UDP-spoofed queries from anywhere
    > else :-/).
    >
    > JK
    >

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    iQCVAwUBOs4SXaaU9msY3cptAQFuYQP7BuvlvUUX9VarG3M7BV1FiY371OjAyut/
    BIDNSh+55JAu5U8h2Xp0b1FonyTHFsSafE4ejFkieAnkHpE/VtB+NNS9yRBwKQUu
    P8HCcxEP4kW1k7FDOJCqtnOrORIsh3GqRtrf9GFjiofUelUOvaI2rF1ImsCtakcb
    hRBCwv3cIC0=
    =john
    -----END PGP SIGNATURE-----