Vigil@nce: NTP.org, buffer overflow of ntpq
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A malicious NTP server can generate an overflow in the ntpq client.
Severity: 2/4
Consequences: user access/rights, denial of service of client
Provenance: intranet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 14/04/2009
IMPACTED PRODUCTS
– Mandriva Corporate
– Mandriva Linux
– Mandriva Multi Network Firewall
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ntpq program monitors the behaviour of the ntpd daemon, or
obtains information about peers.
The cookedprint() function of the NTP.org:ntpq/ntpq.c file
displays information about peers. However, this function uses
sprintf() on a buffer shorter than data. A buffer overflow of two
bytes thus occurs.
A malicious NTP server can therefore return a large value in order
to generate an overflow in ntpq. This overflow leads to a denial
of service, and may lead to code execution.
CHARACTERISTICS
Identifiers: BID-34481, CVE-2009-0159, MDVSA-2009:092,
VIGILANCE-VUL-8624
http://vigilance.fr/vulnerability/NTP-org-buffer-overflow-of-ntpq-8624