Talos Vulnerability Report

TALOS-2015-0063

Network Time Protocol ntpq atoascii Memory Corruption Vulnerability

Oct 21, 2015
Description

A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds.

Tested Versions

ntp 4.2.8p2

Product URLs

http://www.ntp.org

Details

At line 3330 in ntpq.c, the atoascii function will be called to transform data into printable ascii (i.e. characters below 127):

atoascii( value, MAXVALLEN, bv, sizeof(bv));
	if (output_raw != '*') {
		len = strlen(bv);
		bv[len] = output_raw;
		bv[len+1] = '\0';
	}

The function atoascii won’t write more than sizeof(bv) bytes into bv and will ensure NULL termination if it runs out of space in bv. Depending on the specific character in the value parameter, it will write between 1 and 2 characters to bv. If bv is filled in atoascii, it will be NULL terminated at its final byte. This means that len = strlen(bv) will return the size of the buffer-1. Accessing the buffer via len will overwrite the NULL byte with output_raw. However if the buffer is full because it ran out of space during the atoascii function, then len+1 will equal 4096, resulting in an off by on the buffer.

Credit

Discovered by Yves Younan and Aleksander Nikolich of Cisco Talos.