[ntp:security] [Bug 2909] New: Slow memory leak in CRYPTO_ASSOC
bugzilla-daemon at ntp.org
bugzilla-daemon at ntp.org
Mon Sep 28 09:34:41 UTC 2015
http://bugs.ntp.org/show_bug.cgi?id=2909
Bug #: 2909
Summary: Slow memory leak in CRYPTO_ASSOC
Product: ntp
Version: 4.2.8
Platform: All
OS/Version: All
Status: CONFIRMED
Severity: normal
Priority: P4
Component: Security Bugs
AssignedTo: perlinger at ntp.org
ReportedBy: stenn at ntp.org
CC: bmartin at tenable.com, security at ntp.org
Group: Security
Classification: Unclassified
Harlan Stenn <stenn at ntp.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |blocking4.2.8+
The bug:
------------------------------------------------------------
ntpd processes symmetric active NTPv4 packets with multiple
extensions. This can cause memory leak as shown below:
int crypto_recv(...)
{
...
// loop to process (multiple) extensions
while ((has_mac = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) {
...
case CRYPTO_ASSOC:
/*
* If our state machine is running when this
* message arrives, the other fellow might have
* restarted. However, this could be an
* intruder, so just clamp the poll interval and
* find out for ourselves. Otherwise, pass the
* extension field to the transmit side.
*/
if (peer->crypto & CRYPTO_FLAG_CERT) {
rval = XEVNT_ERR;
break;
}
if (peer->cmmd) {
if (peer->assoc != associd) {
rval = XEVNT_ERR;
break;
}
}
fp = emalloc(len);
memcpy(fp, ep, len);
fp->associd = htonl(peer->associd);
peer->cmmd = fp;
...
}
Here when processing an extension with an ASSOC Autokey message
in it, ntpd allocates and copies memory for the incoming extension
and assigns it to peer->cmmd. However, when mulitple ASSOC messages
are present in a symmetric active NTPv4 packet, memory pointed by
peer->cmmd was not freed prior to the peer->cmmd = fp assignment.
This causes a memory leak, which could lead to a DoS.
PoC:
------------------------------------------------------------
This PoC tries to cause memory leak in ntpd.
Target setup and conditions:
- Target ntpd has Autokey (crypto) enabled.
- Host running this script and the target host must not go through
Network Address Translation.
- Run this script repeatly with watch -n 1 python ntp_mem_leak.py <target_ip>
- Note that since ntpd limits maximum extension size to 2048 bytes, it
can take a long time (days) to exhaust ntpd memory.
--
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the security
mailing list