NTP Daemon decodearr Function Buffer Overflow

March 23, 2018

Description Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP's has a native application implementation, ntpq, which can be accessed from command line. A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application. The format of the NTP message data has been specified in rfc1305:

Leap Indicator: 2 bits Version Number: 3 bits Mode: 3 bits Message Mode Response Bit: 1 Bit (0x0/0x01 for requests/responses) Error Bit: 1 Bit More Bit: 1 Bit Operation Code: 5 bits Sequence: 16 bits Status: 16 bits Association ID: 16 bits Offset: 16 bits Count: 16 bits Data: key-value format data 

The data section is represented in the following format:

key = value1 value2 .... valueN (array of values)

When handling the request's data section, the function decodearr() used a 80 bytes fixed length buffer, which is a local variable allocated in stack. If the request is longer than 79 bytes (as shown in the figure below), a typical stack overflow will occur. SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13276: NTP Daemon decodearr Function Buffer Overflow