[ntp:security] NTPd security bugs by Defensics overflow sequence

Renwang Liu renwang.liu at ericsson.com
Mon Jun 27 06:37:05 UTC 2016


Hi,
We have come across this issue, using the Defensics tool(overflow_sequence) for the security test for ntp server.

Linux (defensics )------------ntpd (SUT)

- STATE THE PROBLEM IMPACT
Overflow anomalies are exceptionally long strings attempting to discover stack and heap based buffer overflow vulnerabilities, weaknesses in memory buffer boundary checking and other such faults in System Under Test (SUT). Overflow anomalies may be placed anywhere in a protocol message, but they are especially effective when applied to variable length protocol elements. In the common case, overflow anomalies are made out of long repetitions of printable ASCII characters or other terminal symbols defined in the protocol.
In case of Router simple overflow packet sent to NTPd causes Denial Of Service (NTPd process doesn't respond any more).
Motivation:
NTPd process is used for timestamping the logs and event synchronization on Spitfire node. DoS of this process can cause log timestamp desyncronization which will cause issues when troubleshooting the live nodes as timestamps will be incorrect and it will be close to impossible to match the logs from different devices on the network. The actual packet along with pcap captures used for this case can be found in enclosures.

- HOW TO REPRODUCE THE FAULT
Send attached packet towards the node on NTP port.
-TOPOLOGY
P1S (R17A/R16A) <--- copper cable ---> Linux box
- FREQUENCY
100%
- WORKAROUND
N/A
- RECOVERY
Node restart or NTPd process restart

Please see the attachment , the pcap show the ntpd down, by the overflow packet (No,61 1065bytes )  for your reference.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160627/9144427d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntpd_down.pcapng
Type: application/octet-stream
Size: 31320 bytes
Desc: ntpd_down.pcapng
URL: <http://lists.ntp.org/private/security/attachments/20160627/9144427d/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: overflow_sequence
Type: application/octet-stream
Size: 32 bytes
Desc: overflow_sequence
URL: <http://lists.ntp.org/private/security/attachments/20160627/9144427d/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntpd_dos.rar
Type: application/octet-stream
Size: 2513 bytes
Desc: ntpd_dos.rar
URL: <http://lists.ntp.org/private/security/attachments/20160627/9144427d/attachment-0005.obj>


More information about the security mailing list