TALOS-2016-0073
Network Time Protocol ntpq Special Character Filtering Vulnerability
Jan 19, 2016
Report IDs
CVE-2015-7976
CERT VU#357792
Summary
The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Only back slash and forward slash are currently filtered out. There are other special characters that are allowed in the filename which can cause issues during globbing.
In addition to special characters that are passed straight through to the filename, strftime() is called on format specifiers defined by the ntpq user. The %n and %t format specifiers insert a newline and a tab, respectively, into the filename. These could have unintended consequences during globbing as well.
Note that the ntpq user is required to authenticate to run this command.
Tested Versions
ntp 4.2.8p3
NTPsec aa48d001683e5b791a743ec9c575aaf7d867a2b0c
Product URLs
http://www.ntp.org
http://www.ntpsec.org/
CVSS Score
CVSSv2: 3.6 - AV:N/AC:H/Au:S/C:N/I:P/A:P
CVSSv3: 4.4 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
Details
For instance, dash can be the first character in a filename. So if the ntpq user saves the config to a file named “-rf”, an admin on the ntp server could run “rm *” in the directory holding that file and the command would really be “rm -rf *” after globbing. This is an extreme and unlikely example, but there are any number of similar issues that could occur with commands an admin would likely run with wildcards from the config directory.
Recommended Fix
The save_config() function in ntp_control.c should filter out special characters with the exception of a small number that normally get used in filenames: ._- (dot, underscore, and dash). Filenames should not be allowed to start with these special characters. Also, the %n and %t format specifiers should be disallowed to avoid whitespace in a filename. A more conservative approach would be to completely remove the call to strftime() in case there are other vulnerabilities with strftime() that could be exploited by an ntpq user.
Credit
This defect was discovered by Jonathan Gardner of Cisco ASIG.
Timeline
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release