[ntp:security] security report second

连一汉 lianyihan at 360.cn
Mon Jan 18 10:35:02 UTC 2016


Hi, I’m Lian from Qihoo 360. Did you receive my first security report email? And what’s the status of it .

In this report , I found another vulnerability on ntpd .

Affects : 4.2.8p5 and lower

Summary: If I “addpeer” a peer whose “hmode” is bigger than 7 ,when I use “findpeer” to find this peer . The code in ntp_peer.c : line _301 will cross-border access the memory.

Details:

       Issue codes in ntp_peer.c:

       struct peer *findpeer()

              ...

              line_301: *action = MATCH_ASSOC(p->hmode, pkt_mode);

              ...

But the MATCH_ASSOC is defined :

#define MATCH_ASSOC(x, y)   AM[(x)][(y)]                              //AM[7][7]

int AM[AM_MODES][AM_MODES] = {
/*                  packet->mode                                     */
/* peer { UNSPEC,   ACTIVE,     PASSIVE,    CLIENT,     SERVER,     BCAST } */
/* mode */
/*NONE*/{ AM_ERR, AM_NEWPASS, AM_NOMATCH, AM_FXMIT,   AM_MANYCAST, AM_NEWBCL},

/*A*/     { AM_ERR, AM_PROCPKT, AM_PROCPKT, AM_NOMATCH, AM_NOMATCH,  AM_NOMATCH},

/*P*/     { AM_ERR, AM_PROCPKT, AM_ERR,     AM_NOMATCH, AM_NOMATCH,  AM_NOMATCH},

/*C*/     { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_PROCPKT,  AM_NOMATCH},

/*S*/     { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH,  AM_NOMATCH},

/*BCST*/{ AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH,  AM_NOMATCH},

/*BCL*/ { AM_ERR, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH, AM_NOMATCH,  AM_PROCPKT},
};

Here is the screenshot:

[cid:image002.jpg at 01D1521E.CEB574F0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160118/644087b5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 76530 bytes
Desc: image002.jpg
URL: <http://lists.ntp.org/private/security/attachments/20160118/644087b5/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.py
Type: application/octet-stream
Size: 2094 bytes
Desc: poc.py
URL: <http://lists.ntp.org/private/security/attachments/20160118/644087b5/attachment-0001.obj>


More information about the security mailing list