Talos Vulnerability Report
Network Time Protocol Private Mode 'reslist' NULL Pointer Dereference Vulnerability
January 19, 2016
An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by causing a NULL pointer dereference.
The following conditions must be met: 1. Mode 7 must be enabled. By default, mode 7 is disabled. 2. A large enough number of entries must exist in the restrict list to cause seqno to be equal to MAXSEQ
The ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large to fit into a single packet, the results will be split across a sequence of packets. The reslist command does not require authentication.
The functions that return the results (list_restrict4() and list_restrict6()) do not correctly handle the case where the number of packets required is greater than the maximum value of the response packet sequence number resulting in a NULL pointer dereference.
In the event that seqno is equal to MAXSEQ and more_pkt() returns NULL the return value should be checked and ntpd should fail gracefully.
The root cause of the crash is a segmentation violation caused by a NULL pointer dereference in list_restrict4() or list_restrict6().
The IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse.
After recursing to the end of the list, the value pointed to by ppir is assigned the result of more_pkt(). Within more_pkt(), if databytes + itemsize > RESP_DATA_SIZE and seqno == MAXSEQ then NULL is returned and assigned to *ppir. The pointer pir is then assigned *ppir and dereferenced, resulting in a segmentation violation.
Implications of the defect:
An attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the “restrict source” mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.
Check the return value of more_pkt(), and if it is NULL, fail gracefully. The more_pkt() function is used in several places, and the value should be checked at each invocation.
CVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
This defect was discovered by Stephen Gray of Cisco ASIG.
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release