[ntp:security] [Bug 2937] New: nextvar() missing length check

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 11 03:16:16 UTC 2015


             Bug #: 2937
           Summary: nextvar() missing length check
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P5
         Component: Security Bugs
        AssignedTo: stenn at ntp.org
        ReportedBy: stenn at ntp.org
                CC: security at ntp.org
             Group: Security
    Classification: Unclassified

Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
              Flags|                            |blocking4.2.8+

nextvar() executes a memcpy() into the name buffer without a proper
  length check against its maximum length of 256 bytes.  This can be
  exploited by the following call to the addvar command in ntpq:

  ntpq -c "addvar iiii<500 more i's>"

  The argument will be truncated to 503 bytes, but name is only 256
  bytes.  As long as no spaces, commas, equal signs or carriage returns
  are in the argument, the entire 503 bytes will be memcpy()'d in to
  name.  There are several other functions that call nextvar() which
  could be used for the same type of exploit.

  For the purpose of reproducing this, the system's buffer overflow
  protection scheme (e.g. fortify source) could affect whether an actual
  error is seen.

  This could be exploited by a malicious user in a context wherein ntpq
  is run by another script that reads variable names from an untrusted
  source such as a user or environment variable.

  This defect was discovered by Jonathan Gardner <jonagard at cisco.com>.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list