ntpd vulnerabilities
Dag-Erling Smørgrav
des at des.no
Tue Dec 23 13:18:44 UTC 2014
Joe Malcolm <jmalcolm at uraeus.com> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > These work on a "last match" basis. The latter three lines lift all
> > restrictions for localhost, so you can still "ntpq -pn" your own
> > server, but nobody else can.
> Thanks. So, if I understand correctly, the shipped config is
> vulnerable to local (same-host) attackers, not remote ones.
Broadly, yes. Restricting requests from localhost makes it impossible
to monitor your own server, because ntpdc and ntpq talk to ntpd over UDP
to localhost rather than a Unix socket, which could be protected by file
permissions. Implementing a Unix socket for ntpdc / ntpq is left as an
exercise to the reader.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list