2015-12-20 20:59:28 |
halfdog |
bug |
|
|
added bug |
2015-12-20 21:00:36 |
halfdog |
attachment added |
|
Vulnerability information sharing policy https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050/+attachment/4538049/+files/policy.txt |
|
2015-12-20 21:01:54 |
halfdog |
attachment added |
|
Patch just securing commands as they are https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050/+attachment/4538050/+files/etc-cron-daily-ntp.diff |
|
2015-12-22 22:36:53 |
halfdog |
description |
The cronjob script bundled with ntp package on Ubuntu Wily is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp. Thus all steps are performed with root permissions in place.
Due to multiple bugs in the script, a malicious ntp user can make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges. The problematic parts in /etc/cron.daily/ntp are:
find "$statsdir" -type f -mtime +7 -exec rm {} \;
# compress whatever is left to save space
cd "$statsdir"
ls *stats.???????? > /dev/null 2>&1
if [ $? -eq 0 ]; then
# Note that gzip won't compress the file names that
# are hard links to the live/current files, so this
# compresses yesterday and previous, leaving the live
# log alone. We supress the warnings gzip issues
# about not compressing the linked file.
gzip --best --quiet *stats.????????
Relevant targets are:
find and rm invocation is racy, symlinks on rm
rm can be invoked with one attacker controlled option
ls can be invoked with arbitrary number of attacker controlled command line options
gzip can be invoked with arbitrary number of attacker controlled options
See http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ for working user ntp to root privilege escalation exploit, sharing policy is attached to this issue.
# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
# apt-cache policy ntp
ntp:
Installed: 1:4.2.6.p5+dfsg-3ubuntu8.1
Candidate: 1:4.2.6.p5+dfsg-3ubuntu8.1
Version table:
*** 1:4.2.6.p5+dfsg-3ubuntu8.1 0
500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
100 /var/lib/dpkg/status
1:4.2.6.p5+dfsg-3ubuntu8 0
500 http://archive.ubuntu.com/ubuntu/ wily/main amd64 Packages |
The cronjob script bundled with ntp package on Ubuntu Wily is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp. Thus all steps are performed with root permissions in place.
Due to multiple bugs in the script, a malicious ntp user can make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges. The problematic parts in /etc/cron.daily/ntp are:
find "$statsdir" -type f -mtime +7 -exec rm {} \;
# compress whatever is left to save space
cd "$statsdir"
ls *stats.???????? > /dev/null 2>&1
if [ $? -eq 0 ]; then
# Note that gzip won't compress the file names that
# are hard links to the live/current files, so this
# compresses yesterday and previous, leaving the live
# log alone. We supress the warnings gzip issues
# about not compressing the linked file.
gzip --best --quiet *stats.????????
Relevant targets are:
find and rm invocation is racy, symlinks on rm
rm can be invoked with one attacker controlled option
ls can be invoked with arbitrary number of attacker controlled command line options
gzip can be invoked with arbitrary number of attacker controlled options
See http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ for working user ntp to root privilege escalation exploit (User: InvitedOnly, Pass: wtq39EiZ), sharing policy is attached to this issue.
# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
# apt-cache policy ntp
ntp:
Installed: 1:4.2.6.p5+dfsg-3ubuntu8.1
Candidate: 1:4.2.6.p5+dfsg-3ubuntu8.1
Version table:
*** 1:4.2.6.p5+dfsg-3ubuntu8.1 0
500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
100 /var/lib/dpkg/status
1:4.2.6.p5+dfsg-3ubuntu8 0
500 http://archive.ubuntu.com/ubuntu/ wily/main amd64 Packages |
|
2015-12-23 06:25:33 |
Seth Arnold |
ntp (Ubuntu): status |
New |
Confirmed |
|
2016-01-11 20:30:15 |
halfdog |
cve linked |
|
2016-0727 |
|
2016-01-21 19:40:28 |
halfdog |
information type |
Private Security |
Public Security |
|
2016-01-21 20:25:32 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2016-01-21 20:25:39 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2016-02-04 13:53:22 |
Robie Basak |
nominated for series |
|
Ubuntu Wily |
|
2016-02-04 13:53:22 |
Robie Basak |
bug task added |
|
ntp (Ubuntu Wily) |
|
2016-04-29 14:28:59 |
Matt Nordhoff |
bug |
|
|
added subscriber Matt Nordhoff |
2016-05-01 15:49:44 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Security Team |
2016-05-01 15:49:50 |
Christian Ehrhardt |
ntp (Ubuntu): status |
Confirmed |
Triaged |
|
2016-05-01 15:50:12 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
2016-06-01 16:58:00 |
Launchpad Janitor |
ntp (Ubuntu): status |
Triaged |
Fix Released |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7973 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7974 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7975 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7976 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7977 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7978 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-7979 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-8138 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2015-8158 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2016-1547 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2016-1548 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2016-1550 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2016-2516 |
|
2016-06-01 16:58:00 |
Launchpad Janitor |
cve linked |
|
2016-2518 |
|
2016-08-16 02:52:59 |
Steve Beattie |
nominated for series |
|
Ubuntu Xenial |
|
2016-08-16 02:52:59 |
Steve Beattie |
bug task added |
|
ntp (Ubuntu Xenial) |
|
2016-08-16 02:53:42 |
Steve Beattie |
ntp (Ubuntu Wily): status |
New |
Won't Fix |
|
2016-08-16 02:54:32 |
Steve Beattie |
ntp (Ubuntu Xenial): status |
New |
Triaged |
|
2016-10-05 17:32:01 |
Launchpad Janitor |
ntp (Ubuntu Xenial): status |
Triaged |
Fix Released |
|
2016-10-05 17:32:01 |
Launchpad Janitor |
cve linked |
|
2016-4954 |
|
2016-10-05 17:32:01 |
Launchpad Janitor |
cve linked |
|
2016-4955 |
|
2016-10-05 17:32:01 |
Launchpad Janitor |
cve linked |
|
2016-4956 |
|