WZZZ

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-sev ere-ntp-security-flaw/

 

When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system.

What this means is that, if you allow date and time to be set automatically by outside servers, you risk having your computer taken over.

 

This is a critical issue, it's being exploited as we speak, and Apple has not provided the update to Snow Leopard users, only to 10.8/Mountain Lion and above. I strongly doubt Apple will ever get around to issuing an update for Snow Leopard, or they would have already. Chances of that happening are close to zero

Posted on Dec 23, 2014 4:37 PM

Close

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

  • All replies
  • Helpful answers

first Previous Page 4 of 12 last Next
  • by WZZZ,

    WZZZ WZZZ Dec 28, 2014 1:09 PM in response to xyzzy-xyzzy
    Level 6 (13,112 points)
    Mac OS X
    Dec 28, 2014 1:09 PM in response to xyzzy-xyzzy

    You guys are way over my head on this ntpd stuff, but here is /usr/libexec/ntpd-wrapper from my 10.6. Not seeing the same sntp entries at all.

     

    #!/bin/sh

     

    PATH=/usr/sbin:/usr/bin:/bin
    TIMEOUT=30
    KEY=State:/Network/Global/DNS
    DNS=/var/run/resolv.conf
    # sentinel to special case DNS readiness at boot
    LOG=/var/run/sntp.log

     

    ipconfig waitall

     

    if [[ ! -f ${LOG} ]]; then
        DEADLINE=$((SECONDS+TIMEOUT))
        for (( CURTIMEOUT=TIMEOUT; SECONDS < DEADLINE; CURTIMEOUT=DEADLINE-SECONDS )); do
        if scutil -w ${KEY} -t ${CURTIMEOUT}; then
            if [[ -f ${DNS} ]]; then
            break;
            fi            # else retry false alarms
        else
            logger -p daemon.err "$0: scutil key ${KEY} not present after ${TIMEOUT} seconds"
            break;
        fi
        done
    fi

     

    for server in $(awk '/^server/ {print $2}' /etc/ntp.conf); do
       if sntp -v -r -P no -l /var/run/sntp.pid ${server} &> ${LOG}; then
        break
        else
        logger -p daemon.err -f ${LOG}
        fi
    done

     

    # Un-comment the following line to run ntp with a sandbox profile.
    # Sandbox profiles restrict processes from performing unauthorized
    # operations; so it may be necessary to update the profile
    # (/usr/share/sandbox/ntpd.sb) if any changes are made to the ntp
    # configuration (/etc/ntp.conf).
    #sb=/usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb

     

    exec $sb /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift

  • by WZZZ,

    WZZZ WZZZ Dec 28, 2014 1:22 PM in response to WZZZ
    Level 6 (13,112 points)
    Mac OS X
    Dec 28, 2014 1:22 PM in response to WZZZ

    This is the one from my 10.8.5. Looks more like it. (Snow one is from 10.6.8)

     

    #!/bin/sh

     

    PATH=/usr/sbin:/usr/bin:/bin
    TIMEOUT=30
    KEY=State:/Network/Global/DNS
    DNS=/var/run/resolv.conf
    # sentinel to special case DNS readiness at boot
    LOG=/var/run/sntp.log

     

    ipconfig waitall

     

    if [[ ! -f ${LOG} ]]; then
        DEADLINE=$((SECONDS+TIMEOUT))
        for (( CURTIMEOUT=TIMEOUT; SECONDS < DEADLINE; CURTIMEOUT=DEADLINE-SECONDS )); do
        if scutil -w ${KEY} -t ${CURTIMEOUT}; then
            if [[ -f ${DNS} ]]; then
                break;
            fi            # else retry false alarms
        else
            logger -p daemon.err "$0: scutil key ${KEY} not present after ${TIMEOUT} seconds"
            break;
        fi
        done
    fi

     

    for server in $(awk '/^server/ {print $NF}' /etc/ntp.conf); do
        if sntp -K /dev/null -s ${server} &> ${LOG}; then
        break
        else
        logger -p daemon.err -f ${LOG}
        fi
    done

     

    exec /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Dec 28, 2014 1:23 PM in response to WZZZ
    Level 1 (10 points)
    Dec 28, 2014 1:23 PM in response to WZZZ

    Not sure why you wouldn't get the sntp -v error (did you not copy it from your system.log in your post?) since you do have that call as you highlighted and -v is an invalid option in the sntp installed as part of the ntp 4.2.8 build.   What you show is the same 4.2.4 I have in my 10.6.7.

     

    What you show above for your 10.8.5 is what I believe it should now be for Snow Leopard.  Note the change to the sntp call.

  • by WZZZ,

    WZZZ WZZZ Dec 28, 2014 1:27 PM in response to xyzzy-xyzzy
    Level 6 (13,112 points)
    Mac OS X
    Dec 28, 2014 1:27 PM in response to xyzzy-xyzzy

    Yep, came from the system log on 10.6. Was going to go in there again, just to be certain, but I've just rebooted back to ML (dual boot) from Snow after getting that file. Will try to get to that later. But I'm pretty certain it'll be the same.

  • by WZZZ,

    WZZZ WZZZ Dec 28, 2014 2:06 PM in response to WZZZ
    Level 6 (13,112 points)
    Mac OS X
    Dec 28, 2014 2:06 PM in response to WZZZ

    Since the waters here are already a bit muddied, maybe a little more mud can't hurt too much: can either of you who know ntpd explain this log from my 10.4.11/PPC, where I installed the 4.2.8 update from the directions at MacIssues (with Xcode 2.5). Obviously very concerned about the message "no servers can be used, exiting." Yet, after clearing the connection history and unchecking and rechecking automatic time, Little Snitch is showing ntpd is connected to Apple time. So, this means connected to Apple time server, but it can't be used?

     

    If this is going to lead things too far off topic, then feel free to just ignore it.

     

    Dec 28 14:04:49 localhost ntpdate[93]: ntpdate 4.2.8@1.3265-o Fri Dec 26 20:38:28 UTC 2014 (1)
    Dec 28 14:04:49 localhost ntpdate[93]: no servers can be used, exiting
    Dec 28 14:04:50 localhost ntpd[94]: ntpd 4.2.8@1.3265-o Fri Dec 26 20:37:40 UTC 2014 (1): Starting
    Dec 28 14:04:53 localhost ntpd[95]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Dec 28 14:04:53 localhost ntpd[95]: restrict default: KOD does nothing without LIMITED.
    Dec 28 14:04:53 localhost ntpd[95]: restrict ::: KOD does nothing without LIMITED.
    Dec 28 14:04:53 localhost ntpd[95]: mlockall(): Function not implemented
    Dec 28 14:10:13 localhost ntpd[95]: ntpd exiting on signal 15 (Terminated)
    Dec 28 14:10:20 localhost ntpdate[271]: no servers can be used, exiting
    Dec 28 14:10:20 localhost ntpd[272]: ntpd 4.2.8@1.3265-o Fri Dec 26 20:37:40 UTC 2014 (1): Starting
    Dec 28 14:10:22 localhost ntpd[273]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Dec 28 14:10:22 localhost ntpd[273]: mlockall(): Function not implemented
    Dec 28 14:16:13 localhost ntpd[273]: ntpd exiting on signal 15 (Terminated)
    Dec 28 14:16:17 localhost ntpdate[348]: no servers can be used, exiting
    Dec 28 14:16:17 localhost ntpd[349]: ntpd 4.2.8@1.3265-o Fri Dec 26 20:37:40 UTC 2014 (1): Starting
    Dec 28 14:16:18 localhost ntpd[350]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Dec 28 14:16:18 localhost ntpd[350]: mlockall(): Function not implemented

  • by flatsixracer,

    flatsixracer flatsixracer Dec 28, 2014 5:30 PM in response to WZZZ
    Level 1 (10 points)
    Dec 28, 2014 5:30 PM in response to WZZZ

    I don't know, but maybe we are worrying too much about a few system.log entries when start/stooping the ntpd. The NTP 4.2.8 is quite a bit different from 4.2.4 and most of these new entries could just be warnings. OS 10.6 doesn't use all of the new features 4.2.8 provides, and in fact Apple's Security Update includes ntp 4.2.6 NOT ntp 4.2.8 with Maverick

     

    (WZZZ) When you uncheck the "Set date and time automatically" under Date & Time in the System preferences and change the time manually, does it set the date/time automatically with the new binary after re-checking the check-box? If so, I think it's working fine.

     

    For the time being I uploaded an updated installer. It now requires a reboot after the install and includes the updated ntdp-wrapper (eliminate the "sntp -v error") and ntpd.plist (just in case it got changed).

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Dec 28, 2014 6:53 PM in response to flatsixracer
    Level 1 (10 points)
    Dec 28, 2014 6:53 PM in response to flatsixracer

    flatsixracer wrote:

     

    For the time being I uploaded an updated installer. It now requires a reboot after the install and includes the updated ntdp-wrapper (eliminate the "sntp -v error") and ntpd.plist (just in case it got changed).

     

    Thanks for doing the reboot.  And I assume you meant the org.ntp.ntpd.plist launch daemon when you referred to just ntpd.plist.  Comparing with Apple's Mountain Lion update, that didn't change.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Dec 28, 2014 8:15 PM in response to xyzzy-xyzzy
    Level 1 (10 points)
    Dec 28, 2014 8:15 PM in response to xyzzy-xyzzy

    I submitted a ntp bug to Bugzilla (bug 2712) on the mlockall() log message.  Hey, why not?  Might as well give it a shot.  Worst they can do is reject it.  But if they don't I might ask about the "KOD" messages too.  But one problem at a time.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Dec 28, 2014 10:16 PM in response to xyzzy-xyzzy
    Level 1 (10 points)
    Dec 28, 2014 10:16 PM in response to xyzzy-xyzzy

    I have a request.  Could some of you who have systems beyond Snow Leopard build and run the following C program?

    #include <stdio.h>

    #include <sys/mman.h>

    #include <errno.h>

    #include <string.h>

     

    int main()

    {

        int i, e;

        i = mlockall(MCL_CURRENT|MCL_FUTURE);

        e = errno;

        fprintf(stderr, "mlockall(MCL_CURRENT|MCL_FUTURE) returned %d (errno = %d [%s])\n", i, e, strerror(e));

        return (i);

    }

     

    // cc -g -O0 x.c -o x; x

     

    A suggested command line is shown on the last line (commented of course) so long as you cd to the same directory as the source file.

     

    What output do you get?  I get on my 10.6.7,

    mlockall(MCL_CURRENT|MCL_FUTURE) returned -1 (errno = 78 [Function not implemented])

     

    Which shows that mlockall() really does not work on Snow Leopard and it's not really a critical error (process pages are simply not locked).  I'm just curious what happens on other versions of OSX.

     

    Thanks in advance.

  • by flatsixracer,

    flatsixracer flatsixracer Dec 28, 2014 10:31 PM in response to xyzzy-xyzzy
    Level 1 (10 points)
    Dec 28, 2014 10:31 PM in response to xyzzy-xyzzy

    Great idea about the Bugzilla report.

     

    Here is what I get on 10.6.8 when running your program:

     

    mlockall(MCL_CURRENT|MCL_FUTURE) returned -1 (errno = 78 [Function not implemented])

  • by flatsixracer,

    flatsixracer flatsixracer Dec 28, 2014 10:50 PM in response to xyzzy-xyzzy
    Level 1 (10 points)
    Dec 28, 2014 10:50 PM in response to xyzzy-xyzzy

    Same result on OS X 10.8.5

     

    mlockall(MCL_CURRENT|MCL_FUTURE) returned -1 (errno = 78 [Function not implemented])

  • by WZZZ,

    WZZZ WZZZ Dec 29, 2014 5:24 AM in response to WZZZ
    Level 6 (13,112 points)
    Mac OS X
    Dec 29, 2014 5:24 AM in response to WZZZ

    OK, here's the latest from system log ntpd on Snow. Still no sntp in sight.

     

    Dec 29 07:32:58 **** ntpd[13]: ntpd 4.2.8@1.3265-o Wed Dec 24 22:32:16 UTC 2014 (1): Starting
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: ntpd 4.2.8@1.3265-o Wed Dec 24 22:32:16 UTC 2014 (1): Starting
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Command line: /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
    Dec 29 07:32:58 **** ntpd[13]: proto: fuzz beneath 0.091 usec
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: proto: precision = 1.000 usec (-20)
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: proto: fuzz beneath 0.091 usec
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listen and drop on 0 v6wildcard [::]:123
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listen and drop on 1 v4wildcard 0.0.0.0:123
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listen normally on 2 lo0 [::1]:123
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listen normally on 3 lo0 [fe80::1%1]:123
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listen normally on 4 lo0 127.0.0.1:123
    Dec 29 07:32:58 **** ntpd[13]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Dec 29 07:32:58 **** ntpd[13]: restrict default: KOD does nothing without LIMITED.
    Dec 29 07:32:58 **** ntpd[13]: restrict ::: KOD does nothing without LIMITED.
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listen normally on 5 en1 192.168.1.47:123
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: Listening on routing socket on fd #26 for interface updates
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: restrict default: KOD does nothing without LIMITED.
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: restrict default: KOD does nothing without LIMITED.
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: restrict ::: KOD does nothing without LIMITED.
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58 ntpd[13]: restrict ::: KOD does nothing without LIMITED.
    Dec 29 07:32:58 **** ntpd[13]: mlockall(): Function not implemented
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: 29 Dec 07:32:58
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: ntpd[13]:
    Dec 29 07:32:58 **** org.ntp.ntpd[13]: mlockall(): Function not implemented
    Dec 29 07:58:16 **** ntpd[233]: ntpd 4.2.8@1.3265-o Wed Dec 24 22:32:16 UTC 2014 (1): Starting
    Dec 29 07:58:16 **** org.ntp.ntpd[233]: 29 Dec 07:58:16 ntpd[233]: ntpd 4.2.8@1.3265-o Wed Dec 24 22:32:16 UTC 2014 (1): Starting
    Dec 29 07:58:16 **** org.ntp.ntpd[233]: 29 Dec 07:58:16 ntpd[233]: Command line: /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
    Dec 29 07:58:16 **** ntpd[233]: proto: fuzz beneath 0.083 usec
    Dec 29 07:58:16 **** org.ntp.ntpd[233]: 29 Dec 07:58:16 ntpd[233]: proto: precision = 1.000 usec (-20)
    Dec 29 07:58:16 **** org.ntp.ntpd[233]: 29 Dec 07:58:16 ntpd[233]: proto: fuzz beneath 0.083 usec
    Dec 29 07:58:16 **** ntpd[233]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Dec 29 07:58:16 **** ntpd[233]: restrict default: KOD does nothing without LIMITED.
    Dec 29 07:58:16 **** ntpd[233]: restrict ::: KOD does nothing without LIMITED.
    Dec 29 07:58:16 **** ntpd[233]: mlockall(): Function not implemented

     

     

    One theory I have is that I didn't use the later package installer, which I'm thinking includes pre-compiled binaries. Instead, I used flat's earlier instructions, which involved entering numerous commands, and which I also think--correct me if I'm wrong--needed Xcode (3.2 in this case) for the compiling. So, maybe something to do with the package installer (pre-compiled, if that's correct) vs. those command line entries working out of Xcode?

     

    Regardless of the messages, as warnings or not, time synching is working correctly in my Snow. Set a wrong time manually and,upon resuming automatic, the correction was made immediately.

  • by Allen Barnella,

    Allen Barnella Allen Barnella Dec 29, 2014 7:09 AM in response to flatsixracer
    Level 2 (155 points)
    Dec 29, 2014 7:09 AM in response to flatsixracer

    I've got to admit that this discussion is now way over my head, but I did check and I do have the messages in my 10.6.8 log. I've been following the thread and reinstalling the pkg when you make a newer version available. Now that I'm in over my head I've got a couple of questions that I'm hoping you can answer:

     

    1. Yesterday I received a firewall request for: "Do you want the application “ntpd” to accept incoming network connections?" to which I told it "Deny". I had never seen this request before doing your update and I'm concerned why ntpd would need to accept incoming network connections when it's only setting the time?
    2. I plan to upgrade to Mavericks (or more like Yosemite) in the very near future, when I do that will these "patch" files be replaced with the proper ones for the new version of the OS?

     

    Thanks.

  • by flatsixracer,

    flatsixracer flatsixracer Dec 29, 2014 9:03 AM in response to WZZZ
    Level 1 (10 points)
    Dec 29, 2014 9:03 AM in response to WZZZ

    Great. Yes, the sntp -v error was corrected in the newer installer by including the updated ntpd-wrapper with the correct command for sntp:

    ...

    if sntp -K /dev/null -s ${server} &> ${LOG}; then

    ...

  • by flatsixracer,

    flatsixracer flatsixracer Dec 29, 2014 9:20 AM in response to Allen Barnella
    Level 1 (10 points)
    Dec 29, 2014 9:20 AM in response to Allen Barnella

    1) Not sure why you received an incoming connection request for ntpd. If you use "Little Snitch", then yes it may ask you to authorize an outgoing connection. ntpd is not in my firewall settings.

     

    2) Yes if you upgrade to Mavericks or Yosemite and apply the security patches, all these binaries will be overwritten with Apple's version of ntp 4.2.6.

first Previous Page 4 of 12 last Next