Bug 490617 (CVE-2009-0159) - CVE-2009-0159 ntp: buffer overflow in ntpq
Summary: CVE-2009-0159 ntp: buffer overflow in ntpq
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0159
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=vendorsec,reported=20090312,pu...
Depends On: 500781 500782 500783 500784 532641
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-17 10:44 UTC by Tomas Hoger
Modified: 2019-06-08 12:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-14 09:31:00 UTC


Attachments (Terms of Use)
Patch proposed by Apple (396 bytes, patch)
2009-03-17 10:45 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1039 normal SHIPPED_LIVE Important: ntp security update 2009-05-18 20:35:07 UTC
Red Hat Product Errata RHSA-2009:1040 normal SHIPPED_LIVE Critical: ntp security update 2009-05-18 20:53:21 UTC
Red Hat Product Errata RHSA-2009:1651 normal SHIPPED_LIVE Moderate: ntp security update 2009-12-08 19:50:43 UTC

Description Tomas Hoger 2009-03-17 10:44:46 UTC
Apple Security Team reported a stack buffer overflow exists in the ntpq program.  When the ntpq program is used to request peer information from a remote time server, a maliciously crafted response may lead to an unexpected application termination or arbitrary code execution.

Problem exists in cookedprint() function in ntpq.c, when server-supplied numeric value is sprintf-ed to the buffer that is not large enough to hold string representation of the maximum possible value.

Comment 1 Tomas Hoger 2009-03-17 10:45:25 UTC
Created attachment 335503 [details]
Patch proposed by Apple

Comment 2 Tomas Hoger 2009-03-17 11:02:12 UTC
This issue only affects ntpq diagnostic tool, not the NTP server.  Overflow can be triggered by malicious server being queried using ntpq, or if attacker is able to control communication channel between ntpq and the NTP server, and hence spoof malicious replies for queries to trusted NTP server.  Queries to trusted server using untrusted NTP peer are not affected.

Affected code is only reached when ntpq is using "cooked" output mode (which is default).  Always using "raw" output mode mitigates this problem.

The overflow itself is limited to 2 bytes (due to the maximum possible value that ntpq can read to uval) - one byte is an ascii representation of the attacker-controlled octal value '0' - '7', followed by a NULL byte.

ntpq is most commonly used to query ntpd running on the local machine (hence trusted).  localhost is the default host it queries unless some other host was explicitly specified.  Default ntpd server configuration only allows ntpq queries from localhosts too.

On Red Hat Enterprise Linux 5 and later (including current Fedora versions), this overflow is caught by _FORTIFY_SOURCE, causing ntpq to abort instead of overflowing the buffer.  For those versions, this is not a security flaw.

Comment 5 Tomas Hoger 2009-03-31 06:45:32 UTC
Upstream bug report:
  https://support.ntp.org/bugs/show_bug.cgi?id=1144

Comment 7 Tomas Hoger 2009-04-03 13:52:28 UTC
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.

Comment 8 Tomas Hoger 2009-04-09 10:11:01 UTC
Public now, fixed upstream in 4.2.4p7-RC2:
  https://support.ntp.org/bugs/show_bug.cgi?id=1144
  http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565

Comment 10 errata-xmlrpc 2009-05-18 20:35:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html

Comment 11 errata-xmlrpc 2009-05-18 20:54:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html

Comment 12 Fedora Update System 2009-05-19 16:22:24 UTC
ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9

Comment 13 Fedora Update System 2009-05-19 16:23:15 UTC
ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10

Comment 14 Fedora Update System 2009-05-30 02:28:06 UTC
ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-05-30 02:32:55 UTC
ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 errata-xmlrpc 2009-12-08 19:50:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1651 https://rhn.redhat.com/errata/RHSA-2009-1651.html


Note You need to log in before you can comment on or make changes to this bug.