tech-security: NetBSD Security Advisory 2005-011: ntpd may start with different group id than desired

Subject: NetBSD Security Advisory 2005-011: ntpd may start with different group id than desired
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 11/08/2005 09:59:55
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-011
		 =================================

Topic:		ntpd may start with different group id than desired

Version:	NetBSD-current:	source prior to October 14, 2005
		NetBSD 2.1:	affected
		NetBSD 2.0.3:	affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0.1:	affected
		NetBSD 1.6.*:	affected
		pkgsrc:		ntp packages prior to 4.2.0nb7

Severity:	privilege escalation

Fixed:		NetBSD-current:		October 14, 2005
		NetBSD-3 branch:	October 14, 2005 
					   (3.0 will include the fix)
		NetBSD-2.1 branch:	November 1, 2005 
					   (2.1.1 will include the fix)
		NetBSD-2.0 branch:	November 1, 2005 
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	November 1, 2005 
		NetBSD-1.6 branch:	November 1, 2005 
		pkgsrc:			ntp-4.2.0nb7 corrects this issue


Abstract
========

When started with the -u parameter, and passed a group to run as, ntpd will
use the primary group of the user and not the provided group.

This vulnerability has been assigned CVE reference CAN-2005-2496.


Technical Details
=================

When invoked with the ``-u user:group'' or ``-u :group'' parameter, with
the group being specified as a group name, ntpd always accessed the
``pw_gid'' member of the credentials for ``user'', instead of the ``gr_gid''
member of the credentials for ``group''.

When both a user and group were specified, this meant ntpd ran with
the group-id being set to the primary group of the user. When only a
group was specified, ntpd would access an uninitialized pointer, which
would result in undefined behavior.

In a worst case scenario, when started with ``-u :group'' it could run
with root privileges.  Another vulnerability would then be required to
maliciously exploit those privileges.


Solutions and Workarounds
=========================

The default NetBSD running ntp configuration is not vulnerable to this
bug, since the ntpd user has the correct primary group id.

However, it is recommended that all users of affected versions update their
ntpd to include the fix.

The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2005-10-13
	should be upgraded to NetBSD-current dated 2005-10-14 or later.

	The following file needs to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/dist/ntp/ntpd/ntpd.c

	To update from CVS, re-build, and re-install ntpd:
		# cd src
		# cvs update -d -P dist/ntp/ntpd/ntpd.c
		# cd usr.sbin/ntp
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2005-11-01 should be upgraded from NetBSD 2.* sources dated
	2005-11-02 or later.

	The following file needs to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
		dist/ntp/ntpd/ntpd.c

	To update from CVS, re-build, and re-install ntpd:

		# cd src
		# cvs update -d -P -r netbsd-2 dist/ntp/ntpd/ntpd.c
		# cd usr.sbin/ntp
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6.*:

	Systems running NetBSD 1.6 sources dated from before
	2005-11-01 should be upgraded from NetBSD 1.6 sources dated
	2005-11-02 or later.

	NetBSD 1.6.3 will include the fix.

	The following file needs to be updated from the
	netbsd-1-6 CVS branch:
		dist/ntp/ntpd/ntpd.c

	To update from CVS, re-build, and re-install ntpd:

		# cd src
		# cvs update -d -P -r netbsd-1-6 dist/ntp/ntpd/ntpd.c
		# cd usr.sbin/ntp
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install



Thanks To
=========

Josh Bressers for reporting the bug to Secunia.
Adrian Portelli for reporting the bug to the NetBSD Security Officer.


Revision History
================

	2005-11-01	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-011.txt,v 1.6 2005/10/31 22:21:02 dan Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fJ+j5Ru2/4N2IFAQIYnQQAkHVFd+AP/+iNH5hp3Gz308N9G0D+boLu
FtdHGvUZ56YOQvhG+H5vTxse2TyIeV9QkZSfLRLiu+IEx6GaqZKTlOOihIxKjLJ1
Qp/EA1qjFpcGxhJyxwNT2uBKjSXD3lco0bIS94HJ0c3aBO5eRfbaOfsA9/LtjY+s
Gmg3wKQgJbc=
=L/AK
-----END PGP SIGNATURE-----