Security News

NTP Daemon decodearr Function Buffer Overflow

By

Description

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP’s has a native application implementation, ntpq, which can be accessed from command line.

A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.

The format of the NTP message data has been specified in rfc1305:

Leap Indicator: 2 bits
Version Number: 3 bits
Mode: 3 bits Message Mode
Response Bit: 1 Bit (0x0/0x01 for requests/responses)
Error Bit: 1 Bit
More Bit: 1 Bit
Operation Code: 5 bits
Sequence: 16 bits
Status: 16 bits
Association ID: 16 bits
Offset: 16 bits
Count: 16 bits
Data: key-value format data

The data section is represented in the following format:

key = value1 value2 .... valueN (array of values)

When handling the request’s data section, the function decodearr() used a 80 bytes fixed length buffer, which is a local variable allocated in stack. If the request is longer than 79 bytes (as shown in the figure below), a typical stack overflow will occur.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13276: NTP Daemon decodearr Function Buffer Overflow
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Cyber Security News & Trends – 05-17-19
Android Banking Trojan targets Korean users (June 30, 2014)
Hotel Reservation spam campaign leads to Trustezeb Trojan (Feb 17, 2012)
Fake document file installs Adobe Flash Update with a Cryptominer
Dyre.E: New Variant of Dyre Trojan Spreads Upatre Malware
Blackfriday brings malicious apps to the Android ecosystem
Spam containing Cridex Banking Trojan on the rise (July 13,2012)
Cashandler.A: New variant family of InfoStealer Trojan actively spreading in the wild.