WZZZ

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-sev ere-ntp-security-flaw/

 

When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system.

What this means is that, if you allow date and time to be set automatically by outside servers, you risk having your computer taken over.

 

This is a critical issue, it's being exploited as we speak, and Apple has not provided the update to Snow Leopard users, only to 10.8/Mountain Lion and above. I strongly doubt Apple will ever get around to issuing an update for Snow Leopard, or they would have already. Chances of that happening are close to zero

Posted on Dec 23, 2014 4:37 PM

Close

Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

  • All replies
  • Helpful answers

first Previous Page 8 of 12 last Next
  • by shiekh,

    shiekh shiekh Jan 2, 2015 5:05 PM in response to xyzzy-xyzzy
    Level 1 (0 points)
    Jan 2, 2015 5:05 PM in response to xyzzy-xyzzy

    Any chance of compiling Universal binaries? and making them available?

  • by WZZZ,

    WZZZ WZZZ Jan 2, 2015 5:17 PM in response to xyzzy-xyzzy
    Level 6 (13,112 points)
    Mac OS X
    Jan 2, 2015 5:17 PM in response to xyzzy-xyzzy

    Except that like you, I build my own ntp files on my own system (I have Xcode 3.2.6) so that argument doesn't apply for me either.  Of course that doesn't mean that the gcc compiler itself doesn't have a code generation bug (it does compile the code with -O2 optimization level enabled) but I really really don't believe that :-)

    The crash happened after running the flatsixracer installer with its pre-compiled binaries. So, that at least rules out that particular reason for the crash on your system, since you built that one yourself. But not necessarily on mine, although since we both had identical crashed, maybe it is a coding error. Would that be in the compiler itself, or does it point to an error in the 4.2.8?

     

    Later on, because I was concerned about that crash, I decided to run the "plain vanilla" instructions from the MI site. That was when I used Xcode to do the compiling.

     

    Btw, I never bothered to get the Xcode 3.2.6 update. Think it might make a difference, or does it contain the same compiler as the plain 3.2?

     

    I believe I asked you about that earlier in this thread (i.e., where was the -v error report in your system.log?).  It would be (have been) easy to check, i.e., just look at the sntp command line in the /usr/libexit/ntpd-wrapper file.  You must have the updated one with the sntp -K ... fix.

    Yeah, I have never seen that error, either with flatsixrsacer's original command line version or from the update built from the MI site. And, inexplicably, I have the same ntpd-wrapper on my Snow as you. I posted the one from my Snow here way back I don't know how many pages ago. I remember we went through that and that was, and still is, left unexplained. I think you asked flatsix to stick the one from 10.8 in his installer to correct that error.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 2, 2015 5:24 PM in response to WZZZ
    Level 1 (10 points)
    Jan 2, 2015 5:24 PM in response to WZZZ

    WZZZ wrote:

     

    ...maybe it is a coding error. Would that be in the compiler itself?

     

    I tried to explain that in my previous post.

     

    Btw, I never bothered to get the Xcode 3.2.6 update. Think it might make a difference, or does it contain the same compiler as the plain 3.2?

     

    The compiler is always being updated with every release of Xcode.  But as I said I really am not blaming the compiler here.

     

    Yeah, I have never seen that error, either with flatsixrsacer's original command line version or from the update built from the MI site. And, inexplicably, I have the same ntpd-wrapper on my Snow as you. I posted the one from my Snow here way back I don't know how many pages ago. I remember we went through that and that was, and still is, left unexplained. I think you asked flatsix to stick the one from 10.8 in his installer to correct that error.

     

    Lets' just leave it as a mystery.  We know that -v is invalid for the newly built sntp so its not really worth pursuing.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 2, 2015 5:57 PM in response to shiekh
    Level 1 (10 points)
    Jan 2, 2015 5:57 PM in response to shiekh

    shiekh wrote:

     

    Any chance of compiling Universal binaries? and making them available?

     

    Its possible.  But it takes some investigation on how to specify the CXXFLAGS and CPPFLAGS compiler flags to the build configure step in such a way so as to not remove any flags those would normally be defined with (for example, I already know its using -g and -O2 on the build lines -- would need to check what else in order to add -arch ppc,i386,x86_64 -- and is it 32 bit or 64 bit for the intel archs?).

     

    If you don't know what I am talking about, well, it's ok, never mind.  But for anyone reading this who does, I found an interesting (well, I thought it was interesting to me) configure option I didn't know about but I thought worth mentioning.  It's --disable-silent-rules.

     

    When doing this ntp build I thought it was rather strange that the terminal was showing compilation lines like just "CC foo.o".  What happened to the actual command lines?  Because that certainly wasn't correct to compile a file!  Well, it's the way this configure tool (and thus I assume most newer configure tools for other sources) was built, i.e., to just show an abbreviated log line to indicate what is happening.   If you do a configure --help you will see the documentation that says using --disable-silent-rules allows you to see the full command line for each file being compiled!  Cool.

     

    (I apologize for the little off-topic diversion)

  • by shiekh,

    shiekh shiekh Jan 2, 2015 6:33 PM in response to xyzzy-xyzzy
    Level 1 (0 points)
    Jan 2, 2015 6:33 PM in response to xyzzy-xyzzy

    Where might I get some guidance using XCode to compile the NTP code? I see something about GNU Make in XCode

    http://www.scorec.rpi.edu/~littld/xcode_makefile.html

    but this did not take me far (I have XCode 3.1.4)

     

    I thought XCode might be one way to set architecture

     

    Yes, I'm a total neophyte

     

    I was fine getting binaries for PPC, but thought it might be nice to have Universal binaries, as I am patching 10.5

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 2, 2015 8:22 PM in response to shiekh
    Level 1 (10 points)
    Jan 2, 2015 8:22 PM in response to shiekh

    Maybe I wasn't clear above.  The (your) problem is not with how write makefiles.  Your problem is how to get ntp's configure to generate the appropriate gcc command line options that you want.  The (Apple) gcc command line option to generate multiple architectural binaries is -arch (do gcc -v --help to get the gcc command line options).

     

    A simple way that may get what you want is to do this configure step (with bash syntax) is something as follows:

    export CXXFLAGS='-O2 -g -arch ppc -arch=386 -arch=x86_64'

    export CFLAGS="$CXXFLAGS"

    ./configure --prefix=/usr

    I haven't tried this and I don''t know that overriding the flags like this will affect configure's use of these flags (the exports will override configure's definitions).

     

    As I said the "problem" is how to get configure to do what you want, not on how to do makefiles.  Configure builds the makefile for you as a function of the options you send to configure.  It helps of course to know what options you can use for gcc.  That's where the gcc -v --help might, well, help :-)   But be warned.  There are a lot of options for gcc so the help info is long.

  • by 22Phiphi,

    22Phiphi 22Phiphi Jan 3, 2015 4:17 AM in response to flatsixracer
    Level 1 (0 points)
    Jan 3, 2015 4:17 AM in response to flatsixracer

    Hi.

    I applied your patch and I have a problem : ntpd just won't start anymore. At boot "automatic update" is of in the system preference and whenever I tick it, it seems to work but switching away and back to the panel it shows it is of.

    Commande like "ntpd -v" or "ntpd --help" all respond "Bad CPU type in executable".

     

    Could it be you included only 64bits version ? I have an old macmini1,1, late 2006 wich is 32 bits.

  • by WZZZ,

    WZZZ WZZZ Jan 3, 2015 9:57 AM in response to xyzzy-xyzzy
    Level 6 (13,112 points)
    Mac OS X
    Jan 3, 2015 9:57 AM in response to xyzzy-xyzzy

    WZZZ wrote:

     

    ...maybe it is a coding error. Would that be in the compiler itself?

     

    xzzy-xzzy wrote: I tried to explain that in my previous post.

    I think we may both be getting very tired of this ntpd business, but, hopefully, with your indulgence, I will continue a bit longer:

     

    Not that I really understand anything of what your wrote, since I have no experience with coding, you did explain how that error might be happening, but you did not explain from where that coding error is arising. If it's not an error intrinsic to the new 4.2.8, or the compiler, then just where is that error being made? You already said that you had built your own version of the installer, or, if not an installer, made what you felt were the requisite corrections to the files you installed on your own system. Therefore, if it's not coming from the compiler, or from the ntp update itself, and not from flatsixracer's package, then where is that coding error that may have produced the crashes on both our systems coming from? I'm asking because I still want to know when it will be safe to make a permanent 4.2.8 update installation, of one kind of another, the rev4 or the MI site one.

     

    And something else very curious: As a test, I just installed the MacIssues one on a virgin 4.2.4-p4 Snow partition, and got the following logs. What is very interesting is that when I did this earlier on a partition that had already had flatsixracer's rev4, I did not get any of the KOD does nothing without LIMITED entries, which would indicate that, either the flatsix rev4 hadn't been overwritten at all, or that it left some remnants of itself behind.

     

    And do you think that, if left uncorrected, the KOD does nothing without LIMITED entries are anything to be concerned about? Should I bother modifying that /private/etc/ntp.conf file?

     

    Jan  3 11:01:39 **** sudo[234]: ****2 : TTY=ttys000 ; PWD=/Users/****2 ; USER=root ; COMMAND=/usr/sbin/ntpd --version
    Jan  3 11:17:30 **** sudo[209]: **** : TTY=ttys000 ; PWD=/Users/**** ; USER=root ; COMMAND=/usr/sbin/ntpd --version
    Jan  3 11:18:37 **** ntpd[219]: ntpd 4.2.8@1.3265-o Sat Jan  3 16:13:18 UTC 2015 (1): Starting
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: ntpd 4.2.8@1.3265-o Sat Jan  3 16:13:18 UTC 2015 (1): Starting
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Command line: /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
    Jan  3 11:18:37 **** ntpd[219]: proto: fuzz beneath 0.125 usec
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: proto: precision = 1.000 usec (-20)
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: proto: fuzz beneath 0.125 usec
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listen and drop on 0 v6wildcard [::]:123
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listen and drop on 1 v4wildcard 0.0.0.0:123
    Jan  3 11:18:37 **** ntpd[219]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Jan  3 11:18:37 **** ntpd[219]: restrict default: KOD does nothing without LIMITED.
    Jan  3 11:18:37 **** ntpd[219]: restrict ::: KOD does nothing without LIMITED.
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listen normally on 2 lo0 [::1]:123
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listen normally on 3 lo0 [fe80::1%1]:123
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: setsockopt IPV6_MULTICAST_IF 0 for fe80::1%1 fails: Can't assign requested address
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listen normally on 4 lo0 127.0.0.1:123
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listen normally on 5 en1 192.168.1.47:123
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: Listening on routing socket on fd #26 for interface updates
    Jan  3 11:18:37 **** org.ntp.ntpd[219]: restrict default: KOD does nothing without LIMITED.
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: restrict default: KOD does nothing without LIMITED.
    Jan  3 11:18:37 **** org.ntp.ntpd[219]: restrict ::: KOD does nothing without LIMITED.
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: restrict ::: KOD does nothing without LIMITED.
    Jan  3 11:18:37 **** ntpd[219]: mlockall(): Function not implemented
    Jan  3 11:18:37 **** org.ntp.ntpd[219]:  3 Jan 11:18:37 ntpd[219]: mlockall(): Function not implemented

  • by WZZZ,

    WZZZ WZZZ Jan 3, 2015 10:05 AM in response to WZZZ
    Level 6 (13,112 points)
    Mac OS X
    Jan 3, 2015 10:05 AM in response to WZZZ

    Forgot to mention that, after I applied the MI one over the flatsix rev4, I also didn't get the mlockall(): Function not implemented

  • by shiekh,

    shiekh shiekh Jan 3, 2015 11:12 AM in response to xyzzy-xyzzy
    Level 1 (0 points)
    Jan 3, 2015 11:12 AM in response to xyzzy-xyzzy

    Many thanks for all the help; for now I'll just lipo together the binaries for the i386 and ppc; I can see I am over my head at the moment.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 3, 2015 12:18 PM in response to WZZZ
    Level 1 (10 points)
    Jan 3, 2015 12:18 PM in response to WZZZ

    WZZZ wrote:

     

    Forgot to mention that, after I applied the MI one over the flatsix rev4, I also didn't get the mlockall(): Function not implemented

     

    You have me confused now.  Theoretically the only difference between flatsixracer's installer and MI''s explicit build is that flatsixracer's installs the modified ntp-restrict.conf and ntpd-wrapper.  If you previously installed with flatsixracer's installer you installed ntp-restrict.conf and ntpd-wrapper.  If you then explicitly build ntp and installed (e.g., like shown in MI) after and install from flatsixracer then those updated ntp-restrict.conf and ntpd-wrapper are still in your system.

     

    On the one hand you show me a log that has the mlockall error but no sntp -v error and then you say you are not getting the mlockall error.  The log indicates to me that at that time you had the updated ntpd-wrapper (which fixes the sntp -v error) but did not have the updated ntp-restrict.conf which gets rid of the KOD and mlockall log messages.  On the other hand you say you didn't get the mlockall message.

     

    I cannot see you having a log which reports the KOD messages and not having the mlockall error.  However, as I type this I seem to now recall that briefly flatsixracer posted an installer where he addressed to mlockall message by fixing it from /private/etc/ntp.conf instead of from ntp-restrict.conf.  I posted a recommendation he move the fix (rlimit memlock 0) into ntp-restrict.conf to keep all the changes in the one file plus I think that any changes to ntp.conf would get clobbered if you change the ntp server in Date&Time preferences.  So maybe you still have his rlimit change in /private/etc/ntp.conf.

     

    If you want to go back to the beginning you would need to make sure you have the original OSX ntp.conf, ntp-restrict.conf, and ntpd-wrapper.  Then you can use the normal explicit build as described by MI.  You should then see the -v message, KOD messages, and mlockall message in the log.  But why would you want to do that?  If you use  flatsixracer's latest installer (or just add the fixed/updated ntp-restrict.conf and ntpd-wrapper) you should not see those log messages.

     

    I recommend you use flatsixracer's installer.  Because there is (or should be) no difference between the ntp files it installs and the ones you would get from an explicit build.  But with flatsixracer's installer you do get the updated ntp-restrict.conf and ntpd-wrapper that MI doesn't address.  You really want those updates (well, or at a minimum the ntpd-wrapper update since that sntp -v really does need to be fixed while ntp-restrict.conf just addresses suppressing a bunch of log warnings).

     

    As for that very rare crash, here's a portion of that log again with one line highlighted:

    Application Specific Information:

    *** error for object 0x100200268: incorrect checksum for freed object - object was probably modified after being freed.

     

    Thread 0 Crashed:  Dispatch queue: com.apple.main-thread

    0  libSystem.B.dylib                0x00007fff8382f5d6 __kill + 10

    1  libSystem.B.dylib                0x00007fff838cfcd6 abort + 83

    2  libSystem.B.dylib                0x00007fff838be90d szone_error + 519

    3  libSystem.B.dylib                0x00007fff837eabe6 tiny_free_list_remove_ptr + 158

    4  libSystem.B.dylib                0x00007fff837e81ae szone_free_definite_size + 2005

    5  libcrypto.0.9.8.dylib            0x00007fff867142a5 CRYPTO_free + 37

    6  libcrypto.0.9.8.dylib            0x00007fff86710979 lh_free + 57

    7  libcrypto.0.9.8.dylib            0x00007fff86770c10 int_err_del + 48

    8  libSystem.B.dylib                0x00007fff837f389f __cxa_finalize + 214

    9  libSystem.B.dylib                0x00007fff837f37ac exit + 18

    10  ntpd                              0x0000000100011918 finish + 88

    11  libSystem.B.dylib                0x00007fff8384166a _sigtramp + 26

    12  libSystem.B.dylib                0x00007fff837e8af2 tiny_free_list_add_ptr + 314

    13  libSystem.B.dylib                0x00007fff837e81fc szone_free_definite_size + 2083

    14  ntpd                              0x00000001000336f3 uninit_util + 99

    15  libSystem.B.dylib                0x00007fff837f389f __cxa_finalize + 214

    16  libSystem.B.dylib                0x00007fff837f37ac exit + 18

    17  ntpd                              0x0000000100051a74 exit_worker + 68

    18  ntpd                              0x0000000100051ec4 send_blocking_req_internal + 1092

    19  ntpd                              0x000000010004f54b queue_blocking_request + 187

    20  ntpd                              0x000000010004e584 getaddrinfo_sometime + 372

    21  ntpd                              0x0000000100002c5c config_peers + 1036

    22  ntpd                              0x0000000100004eb9 config_ntpd + 6521

    23  ntpd                              0x00000001000078fc getconfig + 380

    24  ntpd                              0x000000010001221b ntpdmain + 1707

    25  ntpd                              0x0000000100001344 start + 52

     

    My current theory is that it was a function named finish() that failed.  There is a function name finish() in the ntpd.c source file. 

     

    /*

    * finish - exit gracefully

    */

    static RETSIGTYPE

    finish(

        int sig

        )

    {

        const char *sig_desc;

     

        sig_desc = NULL;

    #ifdef HAVE_STRSIGNAL

        sig_desc = strsignal(sig);

    #endif

        if (sig_desc == NULL)

            sig_desc = "";

        msyslog(LOG_NOTICE, "%s exiting on signal %d (%s)", progname,

            sig, sig_desc);

        /* See Bug 2513 and Bug 2522 re the unlink of PIDFILE */

    # ifdef HAVE_DNSREGISTRATION

        if (mdns != NULL)

            DNSServiceRefDeallocate(mdns);

    # endif

        exit(0);

    }

     

    I'm guessing that "finish+88" in the crash log  is that DNSServiceRefDeallocate() call but that's only a guess since I didn't look any deeper into this. It's interesting that that piece of code is trying do address a couple of bug reports :-)  This is all I have to say on this.  This post is getting way too long and now going off topic.

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 3, 2015 12:26 PM in response to shiekh
    Level 1 (10 points)
    Jan 3, 2015 12:26 PM in response to shiekh

    shiekh wrote:

     

    Many thanks for all the help; for now I'll just lipo together the binaries for the i386 and ppc; I can see I am over my head at the moment.

     

    Out of curiosity I looked into this a little more.  A configure line like this does work:

    CFLAGS='-g -O2 -arch ppc' configure --prefix=/usr

    Add --disable-silent-rules and you will see it adds those flags to each build line and a ppc version is generated (didn't test it of course).

     

    Unfortunately you cannot add multiple -arch's to build fat binaries in one build.  The gcc command lines have other gcc options which don't permit specifying multiple -arch's that aren't controlled by CFLAGS.  So to build fat binaries you would need to build a ppc version and say a x86_64 version and lipo each respective code file together.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 3, 2015 1:31 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 3, 2015 1:31 PM in response to xyzzy-xyzzy

    strangely, this is making a lot of sense; the fog is leaving. Many thanks for all the help.

     

    I looked at flatsixracers installer, which initially installed

     

         /usr/bin/ntp-keygen

         /usr/bin/ntpq

         /usr/bin/sntp

         /usr/sbin/ntpd

         /usr/sbin/ntpdate

         /usr/sbin/ntpdc

         /usr/sbin/ntptrace

         /usr/libexec/ntpd-wrapper

         /System/Library/LaunchDaemons/org.ntp.ntpd.plist

         /etc/ntp.conf

         /etc/ntp-restrict.conf

     

    but then (rev 4) dropped installing /etc/ntp.conf

     

    I also see that NTP are now (2nd Jan 2015) on beta 3 of patch 1, so I might wait till things have settled some and someone more adapt than myself might have an installer that covers 10.5 (PPC and Intel)

  • by xyzzy-xyzzy,

    xyzzy-xyzzy xyzzy-xyzzy Jan 3, 2015 1:46 PM in response to Anwar Shiekh
    Level 1 (10 points)
    Jan 3, 2015 1:46 PM in response to Anwar Shiekh

    Yup, that's what I recall happening with the conf fix as I mentioned above.

     

    Thanks for the heads up on the beta3.

  • by Anwar Shiekh,

    Anwar Shiekh Anwar Shiekh Jan 3, 2015 3:41 PM in response to xyzzy-xyzzy
    Level 1 (5 points)
    Jan 3, 2015 3:41 PM in response to xyzzy-xyzzy

    This stuff is addictive

     

    Using the Intel binaries of flatsixracer I put together a universal installer for OS 10.5

    http://www.cubeowner.com/forums/index.php?s=&showtopic=14866&view=findpost&p=104 503

     

    As usual this is 'use at your own risk' and I have not tested it on an Intel Mac.

first Previous Page 8 of 12 last Next