Re: ntpd =< 4.0.99k remote buffer overflow

[Jan Kluka]

On Thu, Apr 05, 2001 at 08:03:38PM -0400, Charles Sprickman wrote:
...
> Just a quick note to save others a bit of legwork...  If you are running
> ntpd on a machine simply as a client, the following line in /etc/ntp.conf
> should keep people away:
>
> restrict default ignore
>
> Before adding this (I actually had the wrong syntax), the exploit crashed
> ntpd.  Afterwords, not a blip, and ntpdate shows that ntpd is not
> answering anything...

Time servers which ntpd is synchronized to, are also subjected to the
restriction.  So, if this is the only `restrict' in your ntp.conf, it also
prevents synchronization to the time server.

Besides `restrict default ignore' there should be

    restrict time.server.address nomodify

for every 'server time.server.address' in your ntp.conf.

Now, ntpd can be crashed/exploited only by evil queries comming from
time.server.address (or by UDP-spoofed queries from anywhere else :-/).

                                                JK