Vigil@nce - NTP.org: privilege escalation of Cronjob Script
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker local owning privileges of the ntp user can use the
Cronjob Script of NTP.org, in order to gain root privileges.
Impacted products: NTP.org.
Severity: 1/4.
Creation date: 22/01/2016.
DESCRIPTION OF THE VULNERABILITY
The NTP.org product uses a cron script, which remove old
statistics.
However, this script contains a succession of errors (find
followed by a rm which does not remove all files, ls/gzip with a
’*...’ parameter which can be used to inject options such as
’-...’. An attacker owning privileges of the ntp user can thus
create a special statistic file, corresponding to a compressed
archive of a system library (libpam.so), which will belong to the
ntp user at the end of the attack.
An attacker local owning privileges of the ntp user can therefore
use the Cronjob Script of NTP.org, in order to gain root
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/NTP-org-privilege-escalation-of-Cronjob-Script-18790