Talos Vulnerability Report

TALOS-2016-0072

Network Time Protocol ntpq Buffer Overflow Vulnerability

January 19, 2016

Report IDs

CVE-2015-7975
CERT VU#357792

Summary

ntpq contains a buffer overflow. nextvar() executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes.

Tested Versions

ntp 4.2.8p3
NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92

Product URLs

http://www.ntp.org
http://www.ntpsec.org/

CVSS Score

CVSSv2: 3.7 - AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSSv3: 5.6 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Details

This can be exploited by the following call to the addvar command in ntpq:

	ntpq -c "addvar iiii<500 more i's>"

The argument will be truncated to 503 bytes, but name is only 256 bytes. As long as no spaces, commas, equal signs or carriage returns are in the argument, the entire 503 bytes will be memcpy()’d in to name. There are several other functions that call nextvar() which could be used for the same type of exploit.

For the purpose of reproducing this, the system’s buffer overflow protection scheme (e.g. fortify source) could affect whether an actual error is seen.

This could be exploited by a malicious user in a context wherein ntpq is run by another script that reads variable names from an untrusted source such as a user or environment variable.

Credit

This defect was discovered by Jonathan Gardner of Cisco ASIG.

Timeline

2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release