Apple Security Team reported a stack buffer overflow exists in the ntpq program. When the ntpq program is used to request peer information from a remote time server, a maliciously crafted response may lead to an unexpected application termination or arbitrary code execution. Problem exists in cookedprint() function in ntpq.c, when server-supplied numeric value is sprintf-ed to the buffer that is not large enough to hold string representation of the maximum possible value.
Created attachment 335503 [details] Patch proposed by Apple
This issue only affects ntpq diagnostic tool, not the NTP server. Overflow can be triggered by malicious server being queried using ntpq, or if attacker is able to control communication channel between ntpq and the NTP server, and hence spoof malicious replies for queries to trusted NTP server. Queries to trusted server using untrusted NTP peer are not affected. Affected code is only reached when ntpq is using "cooked" output mode (which is default). Always using "raw" output mode mitigates this problem. The overflow itself is limited to 2 bytes (due to the maximum possible value that ntpq can read to uval) - one byte is an ascii representation of the attacker-controlled octal value '0' - '7', followed by a NULL byte. ntpq is most commonly used to query ntpd running on the local machine (hence trusted). localhost is the default host it queries unless some other host was explicitly specified. Default ntpd server configuration only allows ntpq queries from localhosts too. On Red Hat Enterprise Linux 5 and later (including current Fedora versions), this overflow is caught by _FORTIFY_SOURCE, causing ntpq to abort instead of overflowing the buffer. For those versions, this is not a security flaw.
Upstream bug report: https://support.ntp.org/bugs/show_bug.cgi?id=1144
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Public now, fixed upstream in 4.2.4p7-RC2: https://support.ntp.org/bugs/show_bug.cgi?id=1144 http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1039 https://rhn.redhat.com/errata/RHSA-2009-1039.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1040 https://rhn.redhat.com/errata/RHSA-2009-1040.html
ntp-4.2.4p7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc9
ntp-4.2.4p7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ntp-4.2.4p7-1.fc10
ntp-4.2.4p7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.4p7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1651 https://rhn.redhat.com/errata/RHSA-2009-1651.html