[ntp:security] [Bug 2909] New: Slow memory leak in CRYPTO_ASSOC

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Sep 28 09:34:41 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2909

             Bug #: 2909
           Summary: Slow memory leak in CRYPTO_ASSOC
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P4
         Component: Security Bugs
        AssignedTo: perlinger at ntp.org
        ReportedBy: stenn at ntp.org
                CC: bmartin at tenable.com, security at ntp.org
             Group: Security
    Classification: Unclassified


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |blocking4.2.8+

The bug:
------------------------------------------------------------
ntpd processes symmetric active NTPv4 packets with multiple
extensions. This can cause memory leak as shown below:

int crypto_recv(...)
{
...
  // loop to process (multiple) extensions
        while ((has_mac = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) {
...
                case CRYPTO_ASSOC:

                        /*
                         * If our state machine is running when this
                         * message arrives, the other fellow might have
                         * restarted. However, this could be an
                         * intruder, so just clamp the poll interval and
                         * find out for ourselves. Otherwise, pass the
                         * extension field to the transmit side.
                         */
                        if (peer->crypto & CRYPTO_FLAG_CERT) {
                                rval = XEVNT_ERR;
                                break;
                        }
                        if (peer->cmmd) {
                                if (peer->assoc != associd) {
                                        rval = XEVNT_ERR;
                                        break;
                                }
                        }
                        fp = emalloc(len);
                        memcpy(fp, ep, len);
                        fp->associd = htonl(peer->associd);
                        peer->cmmd = fp;
...
}

Here when processing an extension with an ASSOC Autokey message
in it, ntpd allocates and copies memory for the incoming extension
and assigns it to peer->cmmd. However, when mulitple ASSOC messages
are present in a symmetric active NTPv4 packet, memory pointed by
peer->cmmd was not freed prior to the peer->cmmd = fp assignment.
This causes a memory leak, which could lead to a DoS.

PoC:
------------------------------------------------------------
This PoC tries to cause memory leak in ntpd.

Target setup and conditions:
- Target ntpd has Autokey (crypto) enabled.
- Host running this script and the target host must not go through
  Network Address Translation.
- Run this script repeatly with watch -n 1 python ntp_mem_leak.py <target_ip>
- Note that since ntpd limits maximum extension size to 2048 bytes, it
  can take a long time (days) to exhaust ntpd memory.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list