Analysis of ntpd Stack Buffer Overflow Vulnerability (CVE-2014-9295) from the perspective of source code

Analysis of ntpd Stack Buffer Overflow Vulnerability (CVE-2014-9295) from the perspective of source code

 

Buffer overflow in configure ()

First, the configure () function stack overflow is described as follows:

Let's take a look at the patch content in December 12.

Http://bk1.ntp.org/ntp-dev? PAGE = patch & REV = 548acf55dxKfhb6MuYQwzu8eDlS97g

Before the memcpy function, added the logic to check whether data_count is longer than remote_config.buffer.

That is to say, the memcpy before the patch may overflow. Is the destination address remote_config.buffer in the stack?

This is in ntp_config.h

The remote_config structure is as above. The buffer size is fixed and will overflow in the previous memcpy replication.

However, the location of remote_config is not in the stack.

It is also defined in ntp_config.h. remote_config is a global variable and placed in the BSS segment.

This is not stack overflow. In addition to changing the global variable structure data after the BSS segment overflows, I do not know what other damages can be caused.

However, it seems that the Global static data after it is drowned is useless.

Buffer overflow in ctl_putdata ()

Similarly, the descriptions on the official website are as follows:

Corresponding patch

Http://bk1.ntp.org/ntp-dev? PAGE = patch & REV = 548acdf3tUSFizXcv_X4b77Jt_Y-cg

This patch is very interesting. a min macro is added to obtain the minimum value and currentlen is added to record the current length.

Of course, there is only one purpose to avoid the overflow of memcpy and ensure that all content is copied.

 

The destination address datapt is the pointer of rpkt. data, and the structure of rpkt is defined as follows:

 

This is in ntp_control.h

The size of the data array is fixed and exceeded in the above memcpy.

Similarly, the instantiated variable rpkt is not defined in the function, but in the global data zone of ntp_control.c.

This overflow is not due to stack overflow or BSS data.

Buffer overflow in crypto_recv ()

Finally, let's look at the overflow of the crypto_recv () function:

Corresponding patch:

Http://bk1.ntp.org/ntp-dev? PAGE = patch & REV = 548acc4dN1TbM1tRJrbPcA4yc1aTdA

This patch is more fun, and it seems to me in detail.

The patched code uses cookiebuf, the heap block applied for in the local New malloc, to provide the RSA_private_decrypt () function as the destination address, save the result, and release it immediately after use.

RSA_public_encrypt () encrypts the 'flen' bytes at 'from' (usually a session key) using the public key 'rsa 'and stores the herhertext in 'to '. 'to' must point to RSA_size (rsa) bytes of memory.

That is to say, the third parameter is the buffer pointer to save the result, a string buffer ptr.

So, before the patch, what is the temp32?

The following is a definition before ntp_crypto.c:

This temp32 is actually a u_int32 type, and the address is obtained before it is passed to RSA_private_decrypt (), and then forcibly converted to u_char type pointer. If RSA_private_decrypt () if the size of the destination address exceeds the size of one byte, the request overflows.

Is the overflow in the stack?

U_int32 temp32 is defined at the beginning of the crypto_recv () function, inside the function!

Finally, stack overflow is the last overflow.

According to the context logic and function name, the ntp server will trigger this point when processing RSA decryption of cookies.

Of course, if you are interested in the logic of the entire crypto_recv () function, you can reverse it yourself:

 

Additional

For more information about debugging, download the source code of the vulnerability on the official website:

Http://archive.ntp.org/ntp4/

In configure, the two functions are included by default. However, autokey is not supported by default. In this way, the compiled version does not have the crypto_recv () function. To enable autokey, You need to configure it as follows:

Edit ntp. conf after make. If you only want to debug it, you do not need to install ntp to the system directory and start ntpd/ntpd directly with root permission.

Sudo ntpd/ntpd-c ~ /Desktop/ntp. conf

Add the-c parameter to specify the location of the ntp. conf file.

Enable autokey and configure the key

Ntpd serves as the server. After running, it listens to port 123. The client can be accessed through python ntplib or through the ntpq/ntpq client in the compiling directory:

Conclusion

This paper analyzes the three overflow corresponding to the CVE-2014-9295. After verification, only the overflow in the crypto_recv () function is stack overflow. The answer is "if you send a packet containing malicious cookies, you can win any server ".

Of course, the overflow points here are: Can you really touch this point, whether it can be used, whether it can be used stably, and whether it can be further studied by your friends. In addition, the crypto_recv () function is compiled into ntpd only when the autokey function is enabled on the ntp server.

The source code of the vulnerability version has been downloaded on the official website to facilitate research.

For security vendors and all network administrators, upgrade the ntp server as soon as possible. If not necessary, disable the service. This is not just a problem that is used to form a zombie army to ddos devices of other people's homes. Your devices may actually be involved.