[ntp:security] [Bug 3082] test #1

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Jul 5 10:53:23 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3082

--- Comment #2 from Magnus Stubman <magnus at stubman.eu> 2016-07-05 10:53:23 UTC ---
The attached payload will result in a null pointer dereference in ntpd 4.2.8p8.

resulting in the following valgrind report:

==9332== Memcheck, a memory error detector
==9332== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==9332== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==9332== Command: ./ntp-4.2.8p8-noinstrumentation/ntpd/ntpd -n -I lo -c
/home/dude/resources/ntp.conf
==9332== 
28 Jun 21:12:09 ntpd[9332]: ntpd 4.2.8p8 at 1.3265-o Tue Jun 28 14:42:51 UTC 2016
(1): Starting
28 Jun 21:12:09 ntpd[9332]: Command line: ./ntp-4.2.8p8/ntpd/ntpd -n -I lo -c
ntp.conf
28 Jun 21:12:10 ntpd[9332]: proto: precision = 3.521 usec (-18)
28 Jun 21:12:10 ntpd[9332]: switching logging to file /dev/null
28 Jun 21:12:10 ntpd[9332]: Listen and drop on 0 v6wildcard [::]:123
28 Jun 21:12:10 ntpd[9332]: Listen and drop on 1 v4wildcard 0.0.0.0:123
28 Jun 21:12:10 ntpd[9332]: Listen normally on 2 lo 127.0.0.1:123
28 Jun 21:12:10 ntpd[9332]: Listen normally on 3 lo [::1]:123
28 Jun 21:12:10 ntpd[9332]: Listening on routing socket on fd #20 for interface
updates
==9332== Invalid read of size 1
==9332==    at 0x5A3C540: rawmemchr (rawmemchr.S:25)
==9332==    by 0x5A278A1: _IO_str_init_static_internal (strops.c:44)
==9332==    by 0x5A1C486: vsscanf (iovsscanf.c:43)
==9332==    by 0x5A16D76: sscanf (sscanf.c:32)
==9332==    by 0x41B826: read_mru_list (ntp_control.c:4047)
==9332==    by 0x42C1D9: receive (ntp_proto.c:659)
==9332==    by 0x414C5F: ntpdmain (ntpd.c:1329)
==9332==    by 0x4060A8: main (ntpd.c:392)
==9332==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==9332== 
==9332== 
==9332== Process terminating with default action of signal 11 (SIGSEGV)
==9332==  Access not within mapped region at address 0x0
==9332==    at 0x5A3C540: rawmemchr (rawmemchr.S:25)
==9332==    by 0x5A278A1: _IO_str_init_static_internal (strops.c:44)
==9332==    by 0x5A1C486: vsscanf (iovsscanf.c:43)
==9332==    by 0x5A16D76: sscanf (sscanf.c:32)
==9332==    by 0x41B826: read_mru_list (ntp_control.c:4047)
==9332==    by 0x42C1D9: receive (ntp_proto.c:659)
==9332==    by 0x414C5F: ntpdmain (ntpd.c:1329)
==9332==    by 0x4060A8: main (ntpd.c:392)
==9332==  If you believe this happened as a result of a stack
==9332==  overflow in your program's main thread (unlikely but
==9332==  possible), you can try to increase the size of the
==9332==  main thread stack using the --main-stacksize= flag.
==9332==  The main thread stack size used in this run was 204800.
==9332== 
==9332== HEAP SUMMARY:
==9332==     in use at exit: 121,112 bytes in 2,697 blocks
==9332==   total heap usage: 2,865 allocs, 168 frees, 411,562 bytes allocated
==9332== 
==9332== LEAK SUMMARY:
==9332==    definitely lost: 0 bytes in 0 blocks
==9332==    indirectly lost: 0 bytes in 0 blocks
==9332==      possibly lost: 992 bytes in 1 blocks
==9332==    still reachable: 120,120 bytes in 2,696 blocks
==9332==         suppressed: 0 bytes in 0 blocks
==9332== Rerun with --leak-check=full to see details of leaked memory
==9332== 
==9332== For counts of detected and suppressed errors, rerun with: -v
==9332== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)



The following ntp.conf was used:

# Use the local clock
server 127.127.1.0 prefer
fudge  127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008

logfile /dev/null
#logfile /tmp/ntp.log

# Give localhost full access rights
#restrict 127.0.0.1

# Given local machine access to query
#restrict 172.16.59.179 mask 255.255.255.255 nomodify notrap
#restrict 10.0.1.24 mask 255.255.255.255 nomodify notrap
restrict 127.0.0.1 mask 255.255.255.255 nomodify notrap

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list