[ntp:security] ntpq stack buffer overflow

Macnair, Michael Michael.Macnair at thales-esecurity.com
Wed Jul 5 17:27:50 UTC 2017


The cookedprint function in ntpq.c 4.2.8p10 calls the decodearr function, which writes beyond the end of stack buffer 'buf' when copying from an unvalidated user-supplied buffer:
               char buf[60];
               bp = buf;
               while (!isspace((int)*cp) && *cp != '\0')
                    *bp++ = *cp++;

I haven't attempt to determine how exploitable this is on different distros. I suspect the impact is similar to CVE-2009-0159. Sample input to cookedprint attached.

This was found through fuzzing cookedprint. Other lower impact issues uncovered:
 - any response with a variable name but no value leads to a null pointer dereference.
 - there are some buffer overreads in nextvar (sample input to cookedprint attached; the overread may only be detected with ASAN). I believe the impact is at worst DoS of ntpq.
 - there are various ways to trigger asserts in caltontp.c - these have very limited impact (safe abort of ntpq).

A basic patch is attached for the null pointer derefs and the buffer overflow.

I haven't requested a CVE for the overflow; please let me know if you will or you'd prefer me to (and if me, via what CNA).

Michael Macnair
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decodearr-overflow
Type: application/octet-stream
Size: 1205 bytes
Desc: decodearr-overflow
URL: <http://lists.ntp.org/private/security/attachments/20170705/32a87754/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nextvar-overread-1
Type: application/octet-stream
Size: 16385 bytes
Desc: nextvar-overread-1
URL: <http://lists.ntp.org/private/security/attachments/20170705/32a87754/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntpq.patch
Type: application/octet-stream
Size: 1862 bytes
Desc: ntpq.patch
URL: <http://lists.ntp.org/private/security/attachments/20170705/32a87754/attachment-0005.obj>

More information about the security mailing list