Talos Vulnerability Report
Network Time Protocol ntpq Buffer Overflow Vulnerability
January 19, 2016
ntpq contains a buffer overflow. nextvar() executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes.
CVSSv2: 3.7 - AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSSv3: 5.6 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
This can be exploited by the following call to the addvar command in ntpq:
ntpq -c "addvar iiii<500 more i's>"
The argument will be truncated to 503 bytes, but name is only 256 bytes. As long as no spaces, commas, equal signs or carriage returns are in the argument, the entire 503 bytes will be memcpy()’d in to name. There are several other functions that call nextvar() which could be used for the same type of exploit.
For the purpose of reproducing this, the system’s buffer overflow protection scheme (e.g. fortify source) could affect whether an actual error is seen.
This could be exploited by a malicious user in a context wherein ntpq is run by another script that reads variable names from an untrusted source such as a user or environment variable.
This defect was discovered by Jonathan Gardner of Cisco ASIG.
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release