[ntp:security] [Bug 2939] New: reslist NULL pointer dereference

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 11 03:35:56 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2939

             Bug #: 2939
           Summary: reslist NULL pointer dereference
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: Security Bugs
        AssignedTo: stenn at ntp.org
        ReportedBy: stenn at ntp.org
                CC: security at ntp.org
             Group: Security
    Classification: Unclassified


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |blocking4.2.8+

An unauthenticated ntpdc reslist command can cause a segmentation
fault in ntpd by causing a NULL pointer dereference.

The following conditions must be met:
  1. Mode 7 must be enabled.  By default, mode 7 is disabled.
  2. A large enough number of entries must exist in the restrict list
     to cause seqno to be equal to MAXSEQ

Expected Behavior:

The ntpdc reslist command is used to query the restrictions currently
enforced by ntpd.  If the number of restrictions is too large to fit
into a single packet, the results will be split across a sequence of
packets.  The reslist command does not require authentication.

The functions that return the results (list_restrict4() and
list_restrict6()) do not correctly handle the case where the number of
packets required is greater than the maximum value of the response
packet sequence number resulting in a NULL pointer dereference.

In the event that seqno is equal to MAXSEQ and more_pkt() returns NULL
the return value should be checked and ntpd should fail gracefully.

Actual Behavior:

The root cause of the crash is a segmentation violation caused by a
NULL pointer dereference in list_restrict4 or list_restrict6.

The IPv4 and IPv6 restriction lists are kept sorted in reverse order.
To correctly display the output, the functions list_restrict4 and
list_restrict6 traverse the list recursively and dump the lists in
reverse.

After recursing to the end of the list, the value pointed to by ppir
is assigned the result of more_pkt(). Within more_pkt(), if databytes
+ itemsize > RESP_DATA_SIZE and seqno == MAXSEQ then NULL is returned
and assigned to *ppir.  The pointer pir is then assigned *ppir and
dereferenced, resulting in a segmentation violation.

Implications of the defect:

An attacker that can increase the size of the restrict list on a
server with request mode enabled can crash ntpd.  The attacker might
be able to increase the number of restrictions dynamically via
the "restrict source" mechanism. Additionally, an authenticated user
can add restrict lines to the configuration with mode 6 if it is
enabled.

Recommendations:

Check the return value of more_pkt(), and if it is NULL, fail
gracefully.  The more_pkt() function is used in several places, and
the value should be checked at each invocation.

This defect was discovered by Stephen Gray <stepgray at cisco.com>

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list