A patch for the U. of Delaware ntp daemon to patch the (possibly suspect)
root hack is available at the location below:
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
Thanks to:
dr john halewood [john_at_frumious.unidec.co.uk]
Darryl Cook [dlc_at_cs.appstate.edu]
Arrigo Triulzi [arrigo_at_albourne.com]
Ann Majeske [Ann.Majeske_at_compaq.com]
Robert M. Lang [lang_at_isis.mit.edu]
Mike Iglesias [iglesias_at_draco.acs.uci.edu]
David L. Mills [mills_at_udel.edu]
Dave Mills' response on the state of the project CVS tree is below (I had
checked the tree and the readme in the distribution and did not find mention
of the problem):
> Did you see my message to the newsgroup? It has a blow-by-blow
> description of the problem, the status and the distribution. Yes, the
> distribution has the patch. I don't maintain the CVS and the volunteer
> maintainer cannot be found, so I rolled the distribution directly from
> the master souces. This means the CVS is probably not in synch at this
> particular moment.
An earlier response from Dave to comp.protocols.time.ntp regarding the
robustness of the hack is below:
> There is indeed a vulnerability in all versions of NTP since 1990. A
> simple generic patch applies to all versions and has been submitted to
> the CERT. Without it and subject to intricate machine/OS/compiler
> analysis it is possible to coredump the daemon. It seems very unlikely
> that the vulnerability can extend to root compromise. From what I can
> determine here, and reported to the CERT, the test program that purports
> to reveal the consequences
> of the problem, in particular a possible root compromise, is broken and
> cannot be relied upon to present the facts. This is not to say the tha
> vulnerability does not exist, just that the test program is not a
> reliable indicator. For instance, the program reports a compromise when
> the NTP daemon was in fact not running at all. Further investigation
> should clarify the situation, but for now the hazard may have been
> exaggerated.
I'm also including a copy of Ann's reply for those running the Compaq
version:
> I haven't found any official information here at Compaq (yet) about
> this vulnerability. I'd say it is possible that we have it, so you
> should act as if we do until you find out for sure. It would be a
> good idea if you open a problem report with Compaq support requesting
> a formal statement of whether we're vulnerable and/or a patch if we
> are. The sooner this gets reported through support, the faster it
> will get resolved.
-----Original Message-----
From: Russ Fish [mailto:rfish_at_oz.net]
Sent: Friday, April 06, 2001 10:01 AM
To: Tru64 Unix Managers
Subject: related question (was: security hole in xntpd)
A related question to Bob's--any impact on U of Delaware's ntp daemon 4.0x
(
http://www.eecis.udel.edu/~ntp/)?
--------- Bob's original msg below ---------------
Dear all,
A major security hole (remote root hack) has been discovered in xntpd on
other Unix systems. Does anyone know whether Tru64 is vulnerable to this?
I have killed all my xntpd processes pending clarification...better the
clock drifting a few seconds than a root compromise.
Thanks,
Bob
==============================================================
Bob Vickers R.Vickers_at_cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW:
http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
Received on Sun Apr 08 2001 - 02:17:29 NZST