Bug 65684 (CVE-2005-2496)

Summary: VUL-0: CVE-2005-2496: xntpd: using wrong group for dropping privileges
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Hendrik Vogelsang <hvogel>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-2496: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ntpd-using_wrong_group.diff

Description Thomas Biege 2005-02-10 19:26:52 UTC 
Hi, 
this one was reported to us 
 
From: Dax Kelson <dax@gurulabs.com> 
To: security@suse.de 
Date: Wed, 09 Feb 2005 17:03:00 -0700 
Subject: [security@suse.de] *SECURITY* problem with SLES9 and SL9.2 
Errors-To: security-bounces+thomas=suse.de@suse.de 
 
Historically many security problems have been discovered with the NTP 
daemon, ntpd. Because of this modern Linux distributions don't run ntpd 
as root any more and have it drop privileges. 
 
This is only done part way on SLES9 and SL9.2. 
 
# ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup 
COMMAND            PID RUSER    EUSER    RGROUP   EGROUP 
ntpd              6149 ntp      ntp      root     root 
 
You see that the group is still root.  This is a real security problem, 
but not a huge one in a system with the default configuration as ntpd is 
chrooted by to a directory tree and none of the files in it are writable 
by the root group. 
 
The solution is to add a "ntp" group to the system and change the SysV 
init script to use "-u ntp:ntp" instead of the current "-u ntp". 
 
Dax Kelson 
Guru Labs
Comment 1 Thomas Biege 2005-02-10 19:26:52 UTC 
<!-- SBZ_reproduce  -->
rcxntpd start 
ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
Comment 2 Thomas Biege 2005-02-10 19:30:38 UTC 
Debugging the problem revealed that the source of the evil is a bug in the 
ntpd.c code. 
 
Using a numerical GID works but not using a string. If a string was used the 
ntpd daemon looks up the gid to the corresponding name and then uses the 
gid of the user to switch to and not the gid of the group. ;)
Comment 3 Thomas Biege 2005-02-10 19:31:34 UTC 
Created attachment 28383 [details]
ntpd-using_wrong_group.diff
Comment 4 Thomas Biege 2005-02-10 19:32:56 UTC 
I think a stable-only fix will suffice because the group 'ntp' belongs to  
'nogroup' which isn't a dangerous substitute for any other group.
Comment 5 Hendrik Vogelsang 2005-02-10 19:55:55 UTC 
But in stable we dont start ntpd with a group argument. So it uses root. Is that
ok too?

The patch works by the way,,,
Comment 6 Hendrik Vogelsang 2005-02-10 19:58:11 UTC 
sorry that was mixed up.

If we only fix it in stable then on released producta ntpd runs with the group
root and not with nogroup. Because we dont use the group argument there
Comment 7 Thomas Biege 2005-02-10 20:09:29 UTC 
oh.. i see. 
 
don't care. let's fix it in stable only and add it to xntp for possible future 
updates.
Comment 8 Hendrik Vogelsang 2005-02-10 20:15:03 UTC 
ok so i use a group argument (ntp:nogroup) plus your patch if anybody wants to
use another group.
Comment 9 Hendrik Vogelsang 2005-02-10 20:58:13 UTC 
checked in
Comment 10 Thomas Biege 2005-08-26 07:43:21 UTC 
CAN-2005-2496
Comment 11 Thomas Biege 2009-10-13 21:04:40 UTC 
CVE-2005-2496: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)