Talos Vulnerability Report

TALOS-2015-0064

Network Time Protocol Reference Clock Memory Corruption Vulnerability

Oct 21, 2015
Description

A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock could cause a buffer overflow potentially resulting in memory being modified. A malicious reflock could provide a negative length to trigger this vulnerability.

Tested Versions

ntp 4.2.8p2

Product URLs

http://www.ntp.org

Details

At line 3233 in ntp_io.c, a size check is performed to ensure that the length provided isn’t greater than the space available in the buffer that is being written to.

3233	i = (rp->datalen == 0
3234	|| rp->datalen > (int)sizeof(rb->recv_space))
3235	? (int)sizeof(rb->recv_space)
3236	: rp->datalen;
3237	do {
3238		buflen = read(fd, (char *)&rb->recv_space, (u_int)i);
3239	} while (buflen < 0 && EINTR == errno);

However, the size is performed by casting the size of the buffer to an integer type and doing an integer comparison. This means that if datalen is negative, then i will be assigned a negative value, resulting in a buffer overflow when it is used as an argument to read at line 3238.

Credit

Discovered by Yves Younan of Cisco Talos.