Network Time Protocol Daemon (NTPD) DoS Vulnerability (Dec 2, 2016)
The Network Time Protocol daemon (NTPD) is prone to a DoS vulnerability CVE-2016-7434. A remote, authenticated attacker can exploit this vulnerability by sending a crafted packet to the target service. A successful attack could cause NTPD service to crash.
The NTP protocol is designed to synchronize the clocks of computers over a network. It is maintained by ntp.org, and widely used in server operating systems, routers and infrastructure devices.
To perform routine NTP control and monitoring functions in comprehensive network-management environments, the NTP control message is introduced. The NTP control message has the following format:
- NTP Control Message header
- Version Number: 3-bit integer indicating the NTP version number, currently (3).
- Mode: 3-bit integer indicating the mode. It must have the value 6, indicating an NTP control message.
- Response Bit: Set to zero for commands, one for responses.
- Error Bit: Set to zero for normal response, one for error response.
- More Bit: Set to zero for last fragment, one for all others.
- Operation Code: 5-bit integer specifying the command function.
- Sequence: 16-bit Sequence number of the command or response
- Status: 16-bit Status of the system
- Association ID: 16-bit ID of a valid association
- Offset: 16-bit Offset of the first byte in the Data field (Must be 0x0 for requests)
- Count: 16-bit Length of the Data field (N)
- Data: Message data for the command or response
- Padding: Zero padding
- Authenticator: Optional authenticator information
The OP code is represented by a 5-bits integer. To be more specified, the values are:
0 = reserved
1 = read status command/response
2 = read variables command/response
3 = write variables command/response
4 = read clock variables command/response
5 = write clock variables command/response
6 = set trap address/port command/response
7 = trap response
8-31 = reserved
The vulnerability could be triggered on a certain type of message, the “MRU List” request. When the OPCode is set to 0x0A, the data section should be in a key-value format containing the information for the request.
When handling this kind request, a function read_mru_list() will be called in order to parse the key-value format Data section. And in this function, a sub function ctl_getitem() will be called to get value for corresponding key. If the key has no value, this function will return NULL.
However, in the read_mru_list() function, the return value is assigned to be a char* pointer, and will be parsed to other functions as a parameter. Afterwards, a NULL pointer exception will occur, causing the service crash.
The PoC exploit is already in the wild at http://dumpco.re/cve-2016-7434/ .The official patch is issued in the ntp-4.2.8p9 update.
SonicWALL provides protection against this threat via the following signatures:
- 12506 EXPLOIT Network Time Protocol Daemon read_mru_list Denial of Service