[ntp:security] [Bug 2938] New: ntpq saveconfig command allows dangerous characters in filenames

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 11 03:26:17 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2938

             Bug #: 2938
           Summary: ntpq saveconfig command allows dangerous characters in
                    filenames
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: enhancement
          Priority: P3
         Component: Security Bugs
        AssignedTo: stenn at ntp.org
        ReportedBy: stenn at ntp.org
                CC: security at ntp.org
             Group: Security
    Classification: Unclassified


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |blocking4.2.8+

The ntpq saveconfig command does not do adequate filtering of special
  characters from the supplied filename.  Only back slash and forward
  slash are currently filtered out.  There are other special characters
  that are allowed in the filename which can cause issues during
  globbing.  For instance, dash can be the first character in a
  filename.  So if the ntpq user saves the config to a file named "-rf",
  an admin on the ntp server could run "rm *" in the directory holding
  that file and the command would really be "rm -rf *" after globbing.
  This is an extreme and unlikely example, but there are any number of
  similar issues that could occur with commands an admin would likely
  run with wildcards from the config directory.

  In addition to special characters that are passed straight through to
  the filename, strftime() is called on format specifiers defined by the
  ntpq user.  The %n and %t format specifiers insert a newline and a
  tab, respectively, into the filename.  These could have unintended
  consequences during globbing as well.

  Note that the ntpq user is required to authenticate to run this
  command.

  The save_config() function in ntp_control.c should filter out special
  characters with the exception of a small number that normally get used
  in filenames:  ._-  (dot, underscore, and dash).  Filenames should
  not be allowed to start with these special characters.  Also, the %n
  and %t format specifiers should be disallowed to avoid whitespace in a
  filename.  A more conservative approach would be to completely remove
  the call to strftime() in case there are other vulnerabilities with
  strftime() that could be exploited by an ntpq user.

  This defect was discovered by Jonathan Gardner <jonagard at cisco.com>.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list