Talos Vulnerability Report

TALOS-2016-0073

Network Time Protocol ntpq Special Character Filtering Vulnerability

January 19, 2016

Report IDs

CVE-2015-7976
CERT VU#357792

Summary

The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Only back slash and forward slash are currently filtered out. There are other special characters that are allowed in the filename which can cause issues during globbing.

In addition to special characters that are passed straight through to the filename, strftime() is called on format specifiers defined by the ntpq user. The %n and %t format specifiers insert a newline and a tab, respectively, into the filename. These could have unintended consequences during globbing as well.

Note that the ntpq user is required to authenticate to run this command.

Tested Versions

ntp 4.2.8p3
NTPsec aa48d001683e5b791a743ec9c575aaf7d867a2b0c

Product URLs

http://www.ntp.org
http://www.ntpsec.org/

CVSS Score

CVSSv2: 3.6 - AV:N/AC:H/Au:S/C:N/I:P/A:P
CVSSv3: 4.4 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

Details

For instance, dash can be the first character in a filename. So if the ntpq user saves the config to a file named “-rf”, an admin on the ntp server could run “rm *” in the directory holding that file and the command would really be “rm -rf *” after globbing. This is an extreme and unlikely example, but there are any number of similar issues that could occur with commands an admin would likely run with wildcards from the config directory.

The save_config() function in ntp_control.c should filter out special characters with the exception of a small number that normally get used in filenames: ._- (dot, underscore, and dash). Filenames should not be allowed to start with these special characters. Also, the %n and %t format specifiers should be disallowed to avoid whitespace in a filename. A more conservative approach would be to completely remove the call to strftime() in case there are other vulnerabilities with strftime() that could be exploited by an ntpq user.

Credit

This defect was discovered by Jonathan Gardner of Cisco ASIG.

Timeline

2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release