发布时间 :2005-09-02 13:03:00
修订时间 :2011-03-07 21:24:36

[原文]The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.

[CNNVD]NTPD 不安全权限漏洞(CNNVD-200509-032)

        xntpd ntp (ntpd)后台进程4.2.0b以前的版本,当以-u选项运行并且使用一字符串指定组时,使用的是用户的组ID而非组。这使得xntpd可以以与预定权限不同的权限运行。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9669The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the use...

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  XF  ntp-incorrect-group-permissions(22035)
(UNKNOWN)  VUPEN  ADV-2005-1561
(UNKNOWN)  BID  14673

- 漏洞信息

NTPD 不安全权限漏洞
中危 设计错误
2005-09-02 00:00:00 2005-10-20 00:00:00
        xntpd ntp (ntpd)后台进程4.2.0b以前的版本,当以-u选项运行并且使用一字符串指定组时,使用的是用户的组ID而非组。这使得xntpd可以以与预定权限不同的权限运行。

- 公告与补丁


- 漏洞信息 (F39849)

Debian Linux Security Advisory 801-1 (PacketStormID:F39849)
2005-09-07 00:00:00

Debian Security Advisory DSA 801-1 - SuSE developers discovered that ntp confuses the given group id with the group id of the given user when called with a group id on the commandline that is specified as a string and not as a numeric gid, which causes ntpd to run with different privileges than intended.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 801-1                                        Martin Schulze
September 5th, 2005           
- --------------------------------------------------------------------------

Package        : ntp
Vulnerability  : programming error
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-2496

SuSE developers discovered that ntp confuses the given group id with
the group id of the given user when called with a group id on the
commandline that is specified as a string and not as a numeric gid,
which causes ntpd to run with different privileges than intended.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 4.2.0a+stable-2sarge1.

The unstable distribution (sid) is not affected by this problem.

We recommend that you upgrade your ntp-server package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:      854 073a5db4d10747c018badaf285c8d673
      Size/MD5 checksum:   227920 18441676d886725e9772f50d6d66ed73
      Size/MD5 checksum:  2272395 30f8b3d5b970c14dce5c6d8c922afa3e

  Architecture independent components:
      Size/MD5 checksum:   888700 65e345e5a4c5671c35c35c2321a57929

  Alpha architecture:
      Size/MD5 checksum:   281984 8018bab983d1b1273d80f13c98ab043e
      Size/MD5 checksum:   268648 6a928c73d9a35e5d46be564919bfc5b3
      Size/MD5 checksum:    33048 1206c292d2aea812ab31bc6c82747a83
      Size/MD5 checksum:   157866 8129080e8d5a3efeeb35639a016455cc
      Size/MD5 checksum:    48592 05084385b3fc719fc86ad052fa03417d

  AMD64 architecture:
      Size/MD5 checksum:   264728 7fcf78a01ddc8e476057626abec86301
      Size/MD5 checksum:   214096 e50b5a1b4dc57d8717fff35a3e482e11
      Size/MD5 checksum:    31970 0251dd0e396376bf7eddaab24011dba8
      Size/MD5 checksum:   129240 1c87bef079e38724a2c842001ba27444
      Size/MD5 checksum:    44064 75f22981803941881927a8d5c81e95ef

  ARM architecture:
      Size/MD5 checksum:   257214 619dabee145fcc286294846d69d7d90c
      Size/MD5 checksum:   209646 1e134996fc09d8d0c93a7bfb4414c95a
      Size/MD5 checksum:    31368 3fe285ab9de86209226659ee91e07784
      Size/MD5 checksum:   127812 d0a44d77818399c1dbffba95a0d2bb71
      Size/MD5 checksum:    42664 6e4e47990a6d0c296fee757c6f4f0d43

  Intel IA-32 architecture:
      Size/MD5 checksum:   255444 03cc653031d7be7ff023b66a59bc681e
      Size/MD5 checksum:   200168 7a5bc9c7071e9b4c48573aa0e1334013
      Size/MD5 checksum:    31284 82c3f7be081c0c49f7447c0a2bffe007
      Size/MD5 checksum:   120276 e01e8f15ee6b755a71bc80662a9db60e
      Size/MD5 checksum:    41574 82575f5fbb7a6bf7d5b98ec9ea0cdfc8

  Intel IA-64 architecture:
      Size/MD5 checksum:   302788 e9c9691a2effcb54e19e36637b8f4510
      Size/MD5 checksum:   312428 82bbe1fcbfb03f64158b074116440c59
      Size/MD5 checksum:    35044 b9100c5ee1d7bb7feeb42a931078cdd5
      Size/MD5 checksum:   179862 dce97a989ead971d6a2a92914cc27b4c
      Size/MD5 checksum:    54388 c368e58b9ab51c7ee284962fb87df75f

  HP Precision architecture:
      Size/MD5 checksum:   268198 2fd7862ec6edb2fc494da2ddad4a04fd
      Size/MD5 checksum:   223882 45e64eae438e54010678c4238561bbe7
      Size/MD5 checksum:    32602 78cf25bd39bc1d32c7fe0717b85ebc0b
      Size/MD5 checksum:   132252 2a38c59d881fede586fe0a1188f68cb6
      Size/MD5 checksum:    45084 6b16a8e6dd8a4e734c5c78a48a661d53

  Motorola 680x0 architecture:
      Size/MD5 checksum:   245984 0fd8a681ade16a07b93871b9f274c833
      Size/MD5 checksum:   176774 0b0f69e0c66d6f884471d3f75ca97e7b
      Size/MD5 checksum:    30962 370a2555328ef924fd184e705f481fbb
      Size/MD5 checksum:   108038 f40c34ae5aa890b32ba3ad7ae9d2ebcf
      Size/MD5 checksum:    39940 52edbfdbe569a155f849e9cb1f171955

  Big endian MIPS architecture:
      Size/MD5 checksum:   268154 9135d6701c0ab87d77a73cc9850a0726
      Size/MD5 checksum:   233488 56e93ee7ecba66b6ebca7310cd564faa
      Size/MD5 checksum:    33926 fd4e4f7c6abd5ae4d106eb193944f616
      Size/MD5 checksum:   138146 0e816e27f765f9a046127f4bb7163819
      Size/MD5 checksum:    46228 acb472598aa68bcc2e02f7fa76c39519

  Little endian MIPS architecture:
      Size/MD5 checksum:   270556 83a5301cef400a1c60ebab2a39907436
      Size/MD5 checksum:   242944 a6550d4d21423deecafbc8e5c24830b1
      Size/MD5 checksum:    33942 c2660bf5737ede43d3857a09ae83462d
      Size/MD5 checksum:   146338 669c97272299c5d6f79cf0cec161a270
      Size/MD5 checksum:    46606 766f54b333ecafbce9f935c3013aa273

  PowerPC architecture:
      Size/MD5 checksum:   266082 4b95908ba945a5981de225e7f08a08cf
      Size/MD5 checksum:   213172 40f7b322d123d4a0c07b0a72c88ea316
      Size/MD5 checksum:    31914 41f2214cbba83c953645d828cb08163c
      Size/MD5 checksum:   129092 f278da81542a03b383117acdbc223045
      Size/MD5 checksum:    43684 67e6a656ad5786b54f5924b4d33f7da3

  IBM S/390 architecture:
      Size/MD5 checksum:   262906 a5dba3ef8693a44ca7e53c750a7b602c
      Size/MD5 checksum:   209214 521113f21da1b4b125806dc673c13a41
      Size/MD5 checksum:    31812 f115ec3f6c74b884c2e8d6ed46c362e8
      Size/MD5 checksum:   126366 2bea02161d8fe272b63e9ea73afd2634
      Size/MD5 checksum:    44204 b6c1d457ee2938707cc601ee533d4103

  Sun Sparc architecture:
      Size/MD5 checksum:   255138 2fa91e71128b89183d52bda74f4e6329
      Size/MD5 checksum:   201106 945e6362db7bca49daa7f1ae91637b60
      Size/MD5 checksum:    31398 578d29c5f031717a9a5cd7c5afa6f756
      Size/MD5 checksum:   120274 9cabce720603c3b96b168df882bb3230
      Size/MD5 checksum:    42486 75b2d4cc418c402819f29249b329fcb0

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.1 (GNU/Linux)



- 漏洞信息

NTP ntpd -u Group Permission Weakness

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-29 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.2.0b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

NTPD Insecure Privileges Vulnerability
Design Error 14673
Yes No
2005-08-27 12:00:00 2006-09-05 11:33:00
Thomas Biege <> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
NTP NTPd 4.2 .0a
NTP NTPd 4.2
NTP NTPd 4.1
NTP NTPd 4.0
NetBSD NetBSD 2.1
NetBSD NetBSD 2.0.3
NetBSD NetBSD 2.0.2
NetBSD NetBSD 2.0.1
NetBSD NetBSD 1.6.2
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6 beta
NetBSD NetBSD 1.6
NetBSD NetBSD Current
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Conectiva Linux 10.0
NTP NTPd 4.2 .0b

- 不受影响的程序版本

NTP NTPd 4.2 .0b

- 漏洞讨论

The ntpd daemon is prone to an insecure privileges vulnerability.

The application may be started with the effective permissions of a privileged user; if the application is compromised by some other means, this may allow an attacker to conduct further exploits.

- 漏洞利用

No exploit is required.

- 解决方案

The vendor has released an update to correct this vulnerability.

Please see the referenced advisories for more information.

Red Hat Fedora Core3

Conectiva Linux 10.0

NTP NTPd 4.0

NTP NTPd 4.1

NTP NTPd 4.2

NTP NTPd 4.2 .0a

- 相关参考