[ntp:security] security report second
连一汉
lianyihan at 360.cn
Mon Jan 18 10:35:02 UTC 2016
Hi, I’m Lian from Qihoo 360. Did you receive my first security report email? And what’s the status of it .
In this report , I found another vulnerability on ntpd .
Affects : 4.2.8p5 and lower
Summary: If I “addpeer” a peer whose “hmode” is bigger than 7 ,when I use “findpeer” to find this peer . The code in ntp_peer.c : line _301 will cross-border access the memory.
Details:
Issue codes in ntp_peer.c:
struct peer *findpeer()
...
line_301: *action = MATCH_ASSOC(p->hmode, pkt_mode);
...
But the MATCH_ASSOC is defined :
#define MATCH_ASSOC(x, y) AM[(x)][(y)] //AM[7][7]
int AM[AM_MODES][AM_MODES] = {
/* packet->mode */
/* peer { UNSPEC, ACTIVE, PASSIVE, CLIENT, SERVER, BCAST } */
/* mode */
/*NONE*/{ AM_ERR, AM_NEWPASS, AM_NOMATCH, AM_FXMIT, AM_MANYCAST, AM_NEWBCL},
/*A*/ { AM_ERR, AM_PROCPKT, AM_PROCPKT, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH},
/*P*/ { AM_ERR, AM_PROCPKT, AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH},
/*C*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_PROCPKT, AM_NOMATCH},
/*S*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH},
/*BCST*/{ AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH},
/*BCL*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_PROCPKT},
};
Here is the screenshot:
[cid:image002.jpg at 01D1521E.CEB574F0]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160118/644087b5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 76530 bytes
Desc: image002.jpg
URL: <http://lists.ntp.org/private/security/attachments/20160118/644087b5/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.py
Type: application/octet-stream
Size: 2094 bytes
Desc: poc.py
URL: <http://lists.ntp.org/private/security/attachments/20160118/644087b5/attachment-0001.obj>
More information about the security
mailing list