CVE-2016-0727

HIGH

NTP Package <4.2.6.p3 - Privilege Escalation via Crontab Script

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-0727. PoCs published by halfdog.

AI-analyzed exploit summary This exploit leverages a race condition and symlink manipulation in the NTP cronjob script to overwrite arbitrary files, specifically targeting the PAM library to escalate privileges from the 'ntp' user to root. It uses inotify-based directory manipulation to trigger malicious gzip behavior during the daily cronjob execution.

Description

The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.

Exploits (1)

exploitdb WORKING POC

by halfdog · textlocallinux

https://www.exploit-db.com/exploits/41764

View Code ZIP pw:eip

This exploit leverages a race condition and symlink manipulation in the NTP cronjob script to overwrite arbitrary files, specifically targeting the PAM library to escalate privileges from the 'ntp' user to root. It uses inotify-based directory manipulation to trigger malicious gzip behavior during the daily cronjob execution.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: ntp (versions with vulnerable cronjob script, e.g., ntp-4.2.6 before patch)

Auth required

Prerequisites: Access to the 'ntp' user account · NTP package with vulnerable cronjob script installed · Write access to /var/lib/ntp directory · Daily cronjob execution timing

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →