touch-packages team mailing list archive

Thread
Date

[Bug 1528050] Re: NTP statsdir cleanup cronjob insecure

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Robie Basak <1528050@xxxxxxxxxxxxxxxxxx>
Date: Thu, 04 Feb 2016 13:53:22 -0000
Reply-to: Bug 1528050 <1528050@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: ntp (Ubuntu Wily)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1528050

Title:
  NTP statsdir cleanup cronjob insecure

Status in ntp package in Ubuntu:
  Confirmed
Status in ntp source package in Wily:
  New

Bug description:
  The cronjob script bundled with ntp package on Ubuntu Wily is intended
  to perform cleanup on statistics files produced by NTP daemon running
  with statistics enabled. The script is run as root during the daily
  cronjobs all operations on the ntp-user controlled statistics
  directory without switching to user ntp. Thus all steps are performed
  with root permissions in place.

  Due to multiple bugs in the script, a malicious ntp user can make the
  backup process to overwrite arbitrary files with content controlled by
  the attacker, thus gaining root privileges. The problematic parts in
  /etc/cron.daily/ntp are:

  find "$statsdir" -type f -mtime +7 -exec rm {} \;

  # compress whatever is left to save space
  cd "$statsdir"
  ls *stats.???????? > /dev/null 2>&1
  if [ $? -eq 0 ]; then
    # Note that gzip won't compress the file names that
    # are hard links to the live/current files, so this
    # compresses yesterday and previous, leaving the live
    # log alone.  We supress the warnings gzip issues
    # about not compressing the linked file.
    gzip --best --quiet *stats.????????

  Relevant targets are:

      find and rm invocation is racy, symlinks on rm
      rm can be invoked with one attacker controlled option
      ls can be invoked with arbitrary number of attacker controlled command line options
      gzip can be invoked with arbitrary number of attacker controlled options

  See
  http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/
  for working user ntp to root privilege escalation exploit (User:
  InvitedOnly, Pass: wtq39EiZ), sharing policy is attached to this
  issue.

  # lsb_release -rd
  Description:    Ubuntu 15.10
  Release:        15.10
  # apt-cache policy ntp
  ntp:
    Installed: 1:4.2.6.p5+dfsg-3ubuntu8.1
    Candidate: 1:4.2.6.p5+dfsg-3ubuntu8.1
    Version table:
   *** 1:4.2.6.p5+dfsg-3ubuntu8.1 0
          500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
          500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
          100 /var/lib/dpkg/status
       1:4.2.6.p5+dfsg-3ubuntu8 0
          500 http://archive.ubuntu.com/ubuntu/ wily/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050/+subscriptions