Bug 490617 - (CVE-2009-0159) CVE-2009-0159 ntp: buffer overflow in ntpq
CVE-2009-0159 ntp: buffer overflow in ntpq
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20090312,pu...
: Security
Depends On: 500781 500782 500783 500784 532641
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-17 06:44 EDT by Tomas Hoger
Modified: 2014-11-11 11:00 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-14 04:31:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch proposed by Apple (396 bytes, patch)
2009-03-17 06:45 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2009-03-17 06:44:46 EDT
Apple Security Team reported a stack buffer overflow exists in the ntpq program.  When the ntpq program is used to request peer information from a remote time server, a maliciously crafted response may lead to an unexpected application termination or arbitrary code execution.

Problem exists in cookedprint() function in ntpq.c, when server-supplied numeric value is sprintf-ed to the buffer that is not large enough to hold string representation of the maximum possible value.
Comment 1 Tomas Hoger 2009-03-17 06:45:25 EDT
Created attachment 335503 [details]
Patch proposed by Apple
Comment 2 Tomas Hoger 2009-03-17 07:02:12 EDT
This issue only affects ntpq diagnostic tool, not the NTP server.  Overflow can be triggered by malicious server being queried using ntpq, or if attacker is able to control communication channel between ntpq and the NTP server, and hence spoof malicious replies for queries to trusted NTP server.  Queries to trusted server using untrusted NTP peer are not affected.

Affected code is only reached when ntpq is using "cooked" output mode (which is default).  Always using "raw" output mode mitigates this problem.

The overflow itself is limited to 2 bytes (due to the maximum possible value that ntpq can read to uval) - one byte is an ascii representation of the attacker-controlled octal value '0' - '7', followed by a NULL byte.

ntpq is most commonly used to query ntpd running on the local machine (hence trusted).  localhost is the default host it queries unless some other host was explicitly specified.  Default ntpd server configuration only allows ntpq queries from localhosts too.

On Red Hat Enterprise Linux 5 and later (including current Fedora versions), this overflow is caught by _FORTIFY_SOURCE, causing ntpq to abort instead of overflowing the buffer.  For those versions, this is not a security flaw.
Comment 5 Tomas Hoger 2009-03-31 02:45:32 EDT
Upstream bug report:
  https://support.ntp.org/bugs/show_bug.cgi?id=1144
Comment 7 Tomas Hoger 2009-04-03 09:52:28 EDT
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.
Comment 8 Tomas Hoger 2009-04-09 06:11:01 EDT
Public now, fixed upstream in 4.2.4p7-RC2:
  https://support.ntp.org/bugs/show_bug.cgi?id=1144
  http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565
Comment 10 errata-xmlrpc 2009-05-18 16:35:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html
Comment 11 errata-xmlrpc 2009-05-18 16:54:26 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html
Comment 12 Fedora Update System 2009-05-19 12:22:24 EDT
ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9
Comment 13 Fedora Update System 2009-05-19 12:23:15 EDT
ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10
Comment 14 Fedora Update System 2009-05-29 22:28:06 EDT
ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-05-29 22:32:55 EDT
ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 errata-xmlrpc 2009-12-08 14:50:47 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1651 https://rhn.redhat.com/errata/RHSA-2009-1651.html

Note You need to log in before you can comment on or make changes to this bug.