[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Danny Mayer mayer at ntp.org
Fri Oct 9 00:11:57 UTC 2009


Dave Hart wrote:
> On Thu, Oct 8, 2009 at 1:27 AM, Danny Mayer <mayer at ntp.org> wrote:
>> And for a NTP V5 it would fail as would ntpdc v4 with xntp V3. The mode7
>> packets are private and are not guaranteed not to change between major
>> versions and that's why the test is there. This is an interoperability
>> issue not an attack or security issue.
> 
> That is not true.  INFO_ERR_FMT is not used by ntpdc to interoperate
> with different versions of ntpd.  Rather, INFO_ERR_IMPL is used for
> that purpose.  The test you say is for interoperability is looking for
> version < 1 or > 4.  ntpdc always uses version 2, as I said all ntpdc
> versions are lumped into one category by this test.

I presume that you only looked at the same build of ntpdc when writing
this. That's the trivial case. Have you looked at V3 versions of ntpdc?
The real question that comes up is whether a V3 version of ntpdc will
interoperate with V4 ntpd. I'm not talking here about INFO_ERR_FMT, I'm
talking about INFO_VERSION. INFO_ERR_IMPL is an error response code. So
I think you must be confused or misreading the code.

> 
>>> If it were not for the need to keep patches simple and focused, I
>>> would say all the INFO_ERR_FMT responses should be eliminated from
>>> process_private(), dropping each without response.
>> Which means that you are ignoring legitimate errors thereby throwing out
>> Â legitimate error responses.
> 
> There is no value in responding with INFO_ERR_FMT to requests with
> incredible versions.  You keep harping on the need for these
> responses, but you have yet to demonstrate it.  I've looked at the
> ntpdc code as well as ntp_request.c and I'm convinced responding with
> INFO_ERR_FMT for version < 1 or > 4 is not going to help
> interoperability.
> 

This is wrong. In NTP V3 the version number is 3. If you try to
interrogate a V4 ntpd server with V3 ntpdc you will get this error. Have
you tried it? There is nothing incredible about this version number. In
addition you are not going to bother with a minimum response when you
can use ntpdc -c monlist and get a massive response.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the security mailing list