NTP Daemon decodearr Function Buffer Overflow



Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP’s has a native application implementation, ntpq, which can be accessed from command line.

A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.

The format of the NTP message data has been specified in rfc1305:

Leap Indicator: 2 bits
Version Number: 3 bits
Mode: 3 bits Message Mode
Response Bit: 1 Bit (0x0/0x01 for requests/responses)
Error Bit: 1 Bit
More Bit: 1 Bit
Operation Code: 5 bits
Sequence: 16 bits
Status: 16 bits
Association ID: 16 bits
Offset: 16 bits
Count: 16 bits
Data: key-value format data

The data section is represented in the following format:

key = value1 value2 .... valueN (array of values)

When handling the request’s data section, the function decodearr() used a 80 bytes fixed length buffer, which is a local variable allocated in stack. If the request is longer than 79 bytes (as shown in the figure below), a typical stack overflow will occur.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13276: NTP Daemon decodearr Function Buffer Overflow
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.