[ntp:security] [Bug 2940] New: Stack exhaustion in recursive traversal of restriction list

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 11 03:44:09 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2940

             Bug #: 2940
           Summary: Stack exhaustion in recursive traversal of restriction
                    list
           Product: ntp
           Version: 4.2.8
          Platform: PC
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: Security Bugs
        AssignedTo: stenn at ntp.org
        ReportedBy: stenn at ntp.org
                CC: security at ntp.org
             Group: Security
    Classification: Unclassified


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |blocking4.2.8+

An unauthenticated ntpdc reslist command can cause a segmentation
fault in ntpd by exhausting the call stack.

The following conditions must be met:
  1. Mode 7 must be enabled. By default, mode 7 is disabled.
  2. A large enough number of entries must be in the restrict lists to
     cause enough calls to list_restrict4 or list_restrict6 that the
     stack space is exhausted.

Expected Behavior:

The ntpdc reslist command is used to query the restrictions currently
enforced by ntpd. If the number of restrictions is too large, enough
function calls to list_restrict4() or list_restric6() will occur to
exhaust the space on the call stack. The reslist command does not
require authentication.

The ntpd process should be able to traverse any number of entries in
the restrict list without exhausting the call stack.

Actual Behavior:

The IPv4 and IPv6 restriction lists are kept sorted in reverse order.
To correctly display the output, the functions list_restrict4 and
list_restrict6 traverse the list recursively and dump the lists in
reverse. If enough entries exist in the restrict list, the recursion
will eventually exhaust the available space on the call stack.

Implications of the defect:

An attacker that can increase the size of the restrict list on a
server with request mode enabled can crash ntpd. The attacker might be
able to increase the number of restrictions dynamically via the
"restrict source" mechanism.  Additionally, an authenticated user can
add restrict lines to the configuration with mode 6 if it is enabled.

Recommendations:

Use iteration to traverse the restrict list or terminate the recursion
after some number of entries have been processed.

This defect was discovered by Stephen Gray <stepgray at cisco.com>

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list