[ntp:security] [Bug 3414] ntpq: decodearr() can write beyond its 'buf' limits

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 8 10:15:44 UTC 2017


https://bugs.ntp.org/show_bug.cgi?id=3414

Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P3
                 CC|                            |michael.macnair at thales-esec
                   |                            |urity.com
            Summary|test1                       |ntpq: decodearr() can write
                   |                            |beyond its 'buf' limits
           Severity|enhancement                 |normal

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2017-07-06 08:51:17 UTC ---
The cookedprint function in ntpq.c 4.2.8p10 calls the decodearr function, which
writes beyond the end of stack buffer 'buf' when copying from an unvalidated
user-supplied buffer:

               char buf[60];
               ...
               bp = buf;
               while (!isspace((int)*cp) && *cp != '\0')
                    *bp++ = *cp++;

I haven't attempt to determine how exploitable this is on different distros. I
suspect the impact is similar to CVE-2009-0159. Sample input to cookedprint
attached.

This was found through fuzzing cookedprint. Other lower impact issues
uncovered:
 - any response with a variable name but no value leads to a null pointer
dereference.
 - there are some buffer overreads in nextvar (sample input to cookedprint
attached; the overread may only be detected with ASAN). I believe the impact is
at worst DoS of ntpq.
 - there are various ways to trigger asserts in caltontp.c - these have very
limited impact (safe abort of ntpq).

A basic patch is attached for the null pointer derefs and the buffer overflow.

I haven't requested a CVE for the overflow; please let me know if you will or
you'd prefer me to (and if me, via what CNA).

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list