Talos Vulnerability Report
Network Time Protocol ntpq Special Character Filtering Vulnerability
January 19, 2016
The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Only back slash and forward slash are currently filtered out. There are other special characters that are allowed in the filename which can cause issues during globbing.
In addition to special characters that are passed straight through to the filename, strftime() is called on format specifiers defined by the ntpq user. The %n and %t format specifiers insert a newline and a tab, respectively, into the filename. These could have unintended consequences during globbing as well.
Note that the ntpq user is required to authenticate to run this command.
CVSSv2: 3.6 - AV:N/AC:H/Au:S/C:N/I:P/A:P
CVSSv3: 4.4 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
For instance, dash can be the first character in a filename. So if the ntpq user saves the config to a file named “-rf”, an admin on the ntp server could run “rm *” in the directory holding that file and the command would really be “rm -rf *” after globbing. This is an extreme and unlikely example, but there are any number of similar issues that could occur with commands an admin would likely run with wildcards from the config directory.
The save_config() function in ntp_control.c should filter out special characters with the exception of a small number that normally get used in filenames: ._- (dot, underscore, and dash). Filenames should not be allowed to start with these special characters. Also, the %n and %t format specifiers should be disallowed to avoid whitespace in a filename. A more conservative approach would be to completely remove the call to strftime() in case there are other vulnerabilities with strftime() that could be exploited by an ntpq user.
This defect was discovered by Jonathan Gardner of Cisco ASIG.
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release