TALOS-2016-0072
Network Time Protocol ntpq Buffer Overflow Vulnerability
Jan 19, 2016
Report IDs
CVE-2015-7975
CERT VU#357792
Summary
ntpq contains a buffer overflow. nextvar() executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes.
Tested Versions
ntp 4.2.8p3
NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92
Product URLs
http://www.ntp.org
http://www.ntpsec.org/
CVSS Score
CVSSv2: 3.7 - AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSSv3: 5.6 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Details
This can be exploited by the following call to the addvar command in ntpq:
ntpq -c "addvar iiii<500 more i's>"The argument will be truncated to 503 bytes, but name is only 256 bytes. As long as no spaces, commas, equal signs or carriage returns are in the argument, the entire 503 bytes will be memcpy()’d in to name. There are several other functions that call nextvar() which could be used for the same type of exploit.
For the purpose of reproducing this, the system’s buffer overflow protection scheme (e.g. fortify source) could affect whether an actual error is seen.
This could be exploited by a malicious user in a context wherein ntpq is run by another script that reads variable names from an untrusted source such as a user or environment variable.
Credit
This defect was discovered by Jonathan Gardner of Cisco ASIG.
Timeline
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release