Ubuntu
ntp package

NTP statsdir cleanup cronjob insecure

Bug #1528050 reported by halfdog
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Fix Released
Undecided
Unassigned
Wily
Won't Fix
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

The cronjob script bundled with ntp package on Ubuntu Wily is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp. Thus all steps are performed with root permissions in place.

Due to multiple bugs in the script, a malicious ntp user can make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges. The problematic parts in /etc/cron.daily/ntp are:

find "$statsdir" -type f -mtime +7 -exec rm {} \;

# compress whatever is left to save space
cd "$statsdir"
ls *stats.???????? > /dev/null 2>&1
if [ $? -eq 0 ]; then
  # Note that gzip won't compress the file names that
  # are hard links to the live/current files, so this
  # compresses yesterday and previous, leaving the live
  # log alone. We supress the warnings gzip issues
  # about not compressing the linked file.
  gzip --best --quiet *stats.????????

Relevant targets are:

    find and rm invocation is racy, symlinks on rm
    rm can be invoked with one attacker controlled option
    ls can be invoked with arbitrary number of attacker controlled command line options
    gzip can be invoked with arbitrary number of attacker controlled options

See http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ for working user ntp to root privilege escalation exploit (User: InvitedOnly, Pass: wtq39EiZ), sharing policy is attached to this issue.

# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
# apt-cache policy ntp
ntp:
  Installed: 1:4.2.6.p5+dfsg-3ubuntu8.1
  Candidate: 1:4.2.6.p5+dfsg-3ubuntu8.1
  Version table:
 *** 1:4.2.6.p5+dfsg-3ubuntu8.1 0
        500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.6.p5+dfsg-3ubuntu8 0
        500 http://archive.ubuntu.com/ubuntu/ wily/main amd64 Packages

See original description
Tags: patch
Revision history for this message
halfdog (halfdog) wrote :
Revision history for this message
halfdog (halfdog) wrote :
halfdog (halfdog)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thank you for the report halfdog; we're currently on holidays with very little coverage until the new year. Do you mind if we investigate this further in the new year?

Thanks for the fine report! Good work as always.

Changed in ntp (Ubuntu):
status: New → Confirmed
Revision history for this message
halfdog (halfdog) wrote :

I have already informed NTP upstream, but I guess they will also need some time to do their work. I will try to assist upstream in fixing and hold the issue back from my side. So unless upstream wants to march on at their pace or unless you have objections, I would try to kick it into the oss-security distros list around 2015-12-30, thus you having time till 2016-01-12 before embargo time ends (unless other distros have objections).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

halfdog, can I make this bug public now?

Revision history for this message
halfdog (halfdog) wrote :

Done: Is is public via http://www.openwall.com/lists/oss-security/2016/01/21/7 anyway.

information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch just securing commands as they are" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I'm afraid this might have been lost in tracking.
Also adding Security team (since it is a CVE) and setting triaged as a patch that seems reasonable is available.

Changed in ntp (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu6

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu6) yakkety; urgency=medium

  * SECURITY UPDATE: Deja Vu replay attack on authenticated broadcast mode
    - debian/patches/CVE-2015-7973.patch: improve timestamp verification in
      include/ntp.h, ntpd/ntp_proto.c.
    - CVE-2015-7973
  * SECURITY UPDATE: impersonation between authenticated peers
    - debian/patches/CVE-2015-7974.patch: check key ID in ntpd/ntp_proto.c.
    - CVE-2015-7974
  * SECURITY UPDATE: ntpq buffer overflow
    - debian/patches/CVE-2015-7975.patch: add length check to ntpq/ntpq.c.
    - CVE-2015-7975
  * SECURITY UPDATE: ntpq saveconfig command allows dangerous characters in
    filenames
    - debian/patches/CVE-2015-7976.patch: check filename in
      ntpd/ntp_control.c.
    - CVE-2015-7976
  * SECURITY UPDATE: restrict list denial of service
    - debian/patches/CVE-2015-7977-7978.patch: improve restrict list
      processing in ntpd/ntp_request.c.
    - CVE-2015-7977
    - CVE-2015-7978
  * SECURITY UPDATE: authenticated broadcast mode off-path denial of
    service
    - debian/patches/CVE-2015-7979.patch: add more checks to
      ntpd/ntp_proto.c.
    - CVE-2015-7979
    - CVE-2016-1547
  * SECURITY UPDATE: Zero Origin Timestamp Bypass
    - debian/patches/CVE-2015-8138.patch: check p_org in ntpd/ntp_proto.c.
    - CVE-2015-8138
  * SECURITY UPDATE: potential infinite loop in ntpq
    - debian/patches/CVE-2015-8158.patch: add time checks to ntpdc/ntpdc.c,
      ntpq/ntpq.c.
    - CVE-2015-8158
  * SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
    - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
    - CVE-2016-0727
  * SECURITY UPDATE: time spoofing via interleaved symmetric mode
    - debian/patches/CVE-20xx-xxxx.patch: check for bogus packets in
      ntpd/ntp_proto.c.
    - CVE-2016-1548
  * SECURITY UPDATE: buffer comparison timing attacks
    - debian/patches/CVE-2016-1550.patch: use CRYPTO_memcmp in
      libntp/a_md5encrypt.c, sntp/crypto.c.
    - CVE-2016-1550
  * SECURITY UPDATE: DoS via duplicate IPs on unconfig directives
    - debian/patches/CVE-2016-2516.patch: improve logic in
      ntpd/ntp_request.c.
    - CVE-2016-2516
  * SECURITY UPDATE: denial of service via crafted addpeer
    - debian/patches/CVE-2016-2518.patch: check mode value in
      ntpd/ntp_request.c.
    - CVE-2016-2518

 -- Marc Deslauriers <email address hidden> Wed, 01 Jun 2016 08:38:07 -0400

Changed in ntp (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Wily has reached end of support, closing as Won't Fix.

Changed in ntp (Ubuntu Wily):
status: New → Won't Fix
Changed in ntp (Ubuntu Xenial):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5.3

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu5.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Deja Vu replay attack on authenticated broadcast mode
    - debian/patches/CVE-2015-7973.patch: improve timestamp verification in
      include/ntp.h, ntpd/ntp_proto.c.
    - CVE-2015-7973
  * SECURITY UPDATE: impersonation between authenticated peers
    - debian/patches/CVE-2015-7974.patch: check key ID in ntpd/ntp_proto.c.
    - CVE-2015-7974
  * SECURITY UPDATE: ntpq buffer overflow
    - debian/patches/CVE-2015-7975.patch: add length check to ntpq/ntpq.c.
    - CVE-2015-7975
  * SECURITY UPDATE: ntpq saveconfig command allows dangerous characters in
    filenames
    - debian/patches/CVE-2015-7976.patch: check filename in
      ntpd/ntp_control.c.
    - CVE-2015-7976
  * SECURITY UPDATE: restrict list denial of service
    - debian/patches/CVE-2015-7977-7978.patch: improve restrict list
      processing in ntpd/ntp_request.c.
    - CVE-2015-7977
    - CVE-2015-7978
  * SECURITY UPDATE: authenticated broadcast mode off-path denial of
    service
    - debian/patches/CVE-2015-7979.patch: add more checks to
      ntpd/ntp_proto.c.
    - CVE-2015-7979
    - CVE-2016-1547
  * SECURITY UPDATE: Zero Origin Timestamp Bypass
    - debian/patches/CVE-2015-8138.patch: check p_org in ntpd/ntp_proto.c.
    - CVE-2015-8138
  * SECURITY UPDATE: potential infinite loop in ntpq
    - debian/patches/CVE-2015-8158.patch: add time checks to ntpdc/ntpdc.c,
      ntpq/ntpq.c.
    - CVE-2015-8158
  * SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
    - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
    - CVE-2016-0727
  * SECURITY UPDATE: time spoofing via interleaved symmetric mode
    - debian/patches/CVE-2016-1548.patch: check for bogus packets in
      ntpd/ntp_proto.c.
    - CVE-2016-1548
  * SECURITY UPDATE: buffer comparison timing attacks
    - debian/patches/CVE-2016-1550.patch: use CRYPTO_memcmp in
      libntp/a_md5encrypt.c, sntp/crypto.c.
    - CVE-2016-1550
  * SECURITY UPDATE: DoS via duplicate IPs on unconfig directives
    - debian/patches/CVE-2016-2516.patch: improve logic in
      ntpd/ntp_request.c.
    - CVE-2016-2516
  * SECURITY UPDATE: denial of service via crafted addpeer
    - debian/patches/CVE-2016-2518.patch: check mode value in
      ntpd/ntp_request.c.
    - CVE-2016-2518
  * SECURITY UPDATE: denial of service via spoofed packets
    - debian/patches/CVE-2016-4954.patch: discard packet that fails tests
      in ntpd/ntp_proto.c.
    - CVE-2016-4954
  * SECURITY UPDATE: denial of service via spoofed crypto-NAK or incorrect
    MAC
    - debian/patches/CVE-2016-4955.patch: fix checks in ntpd/ntp_proto.c.
    - CVE-2016-4955
  * SECURITY UPDATE: denial of service via spoofed broadcast packet
    - debian/patches/CVE-2016-4956.patch: properly handle switch in
      broadcast interleaved mode in ntpd/ntp_proto.c.
    - CVE-2016-4956

 -- Marc Deslauriers <email address hidden> Wed, 05 Oct 2016 08:01:29 -0400

Changed in ntp (Ubuntu Xenial):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.