[ntp:security] Report an issue with ntpc 4.2.8p13 improper boundary check

施伟铭 weiming.shi at chaitin.com
Sat Feb 29 10:48:33 UTC 2020


There is an improper boundary check in the ntpc code of 4.2.8p13

1286 lines of code in ntp-4.2.8p13\ntpdc\ntpdc.c

[image: image.png]
The size of the replica token is defined as

 char *tokens[1+MAXARGS+MOREARGS+2]; // 1 + 4 + 10 +2 ==  17 (offset : 0-16)

1148 lines of code
[image: image.png]

Boundary check is on line 1285
[image: image.png]
MAXTOKENS is defined as #define MAXTOKENS   (1+1+MAXARGS+MOREARGS+2)
So the values of MAXTOKENS is 1 + 1 + 4 + 10 + 2 equal to 18... when ntok
equal to 17 ,will cause out-of-bounds visits.

-----------------------------------------------------------
*This is my backtrace.Then the poc is located in the attachment*
=================================================================
==49930==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffeec7e4a08 at pc 0x55df8c86d05b bp 0x7ffeec7e48c0 sp 0x7ffeec7e48b0
WRITE of size 8 at 0x7ffeec7e4a08 thread T0
    #0 0x55df8c86d05a in tokenize
/home/swing/Desktop/ntpd/ntp-4.2.8p13/ntpdc/ntpdc.c:1286
    #1 0x55df8c86d05a in docmd
/home/swing/Desktop/ntpd/ntp-4.2.8p13/ntpdc/ntpdc.c:1164
    #2 0x55df8c872607 in getcmds
/home/swing/Desktop/ntpd/ntp-4.2.8p13/ntpdc/ntpdc.c:1112
    #3 0x55df8c872607 in ntpdcmain
/home/swing/Desktop/ntpd/ntp-4.2.8p13/ntpdc/ntpdc.c:377
    #4 0x7f6387bffb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x55df8c8683b9 in _start
(/home/swing/Desktop/ntp-4.2.8p13/ntpdc/ntpdc-asan+0x273b9)

Address 0x7ffeec7e4a08 is located in stack of thread T0 at offset 168 in
frame
    #0 0x55df8c86b98f in docmd
/home/swing/Desktop/ntpd/ntp-4.2.8p13/ntpdc/ntpdc.c:1147

  This frame has 2 object(s):
    [32, 168) 'tokens' <== Memory access at offset 168 overflows this
variable
    [224, 1136) 'pcmd'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/swing/Desktop/ntpd/ntp-4.2.8p13/ntpdc/ntpdc.c:1286 in tokenize
Shadow bytes around the buggy address:
  0x10005d8f48f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4920: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10005d8f4930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005d8f4940: 00[f2]f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x10005d8f4950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005d8f4990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==49930==ABORTING
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20200229/0986fb8e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 37554 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20200229/0986fb8e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40655 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20200229/0986fb8e/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 23225 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20200229/0986fb8e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: report.7z
Type: application/octet-stream
Size: 706560 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20200229/0986fb8e/attachment.obj>


More information about the security mailing list