Bug 484653 (CVE-2009-0159) - VUL-1: CVE-2009-0159: Limited buffer overflow in ntpq
Summary: VUL-1: CVE-2009-0159: Limited buffer overflow in ntpq
Status: RESOLVED FIXED
Alias: CVE-2009-0159
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Deadline: 2009-04-09
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:23923 maint:released:sl...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-12 08:32 UTC by Ludwig Nussel
Modified: 2016-04-27 21:03 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2009-03-12 08:32:23 UTC 
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.

Date: Wed, 11 Mar 2009 16:55:13 -0700
From: Geoff Keating <geoffk@apple.com>
To: security@ntp.org, vendor-sec@lst.de
Subject: [vendor-sec] Limited buffer overflow in ntpq

There's a limited buffer overflow in the 'ntpq' program.  Our draft  
description is as follows:

• Network Time
CVE-ID: CVE-2009-0159
Impact: Requesting peer information from a malicious remote time  
server may lead to an unexpected application termination or arbitrary  
code execution
Description: A stack buffer overflow exists in the ntpq program. When  
the ntpq program is used to request peer information from a remote  
time server, a maliciously crafted response may lead to an unexpected  
application termination or arbitrary code execution. This update  
addresses the issue through improved bounds checking. Credit: Apple.

We plan to patch it as follows:

--- ntpq/ntpq.c~	2006-06-06 13:17:02.000000000 -0700
+++ ntpq/ntpq.c	2008-02-06 12:12:22.000000000 -0800
@@ -3140,9 +3140,9 @@ cookedprint(
  				if (!decodeuint(value, &uval))
  				    output_raw = '?';
  				else {
-					char b[10];
+					char b[12];

-					(void) sprintf(b, "%03lo", uval);
+					(void) snprintf(b, sizeof(b), "%03lo", uval);
  					output(fp, name, b);
  				}
  				break;


This issue is often not exploitable, especially in 32-bit processes  
where the overrun can be at most 2 bytes.  Common hardening measures  
will also prevent exploitation.
Comment 3 Thomas Biege 2009-04-07 14:36:35 UTC 
Today 4.2.4p7 will probably be released.
Comment 4 Thomas Biege 2009-04-09 12:54:20 UTC 
To: Geoff Keating <geoffk@apple.com>
Cc: security@ntp.org, vendor-sec@lst.de
Date: Thu, 09 Apr 2009 09:10:50 +0000
From: Harlan Stenn <stenn@ntp.org>
Subject: [vendor-sec] Re: [ntp:security] Limited buffer overflow in ntpq
Errors-To: vendor-sec-admin@lst.de

The fix for this bug should be visible in tonight's ntp-4.2.4p7-RC2
tarball.

Thanks very much for the report and fix Geoff!

H
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 8 Peter Varkoly 2009-04-15 14:29:55 UTC 
Fixed and submitted for sles11, sles10-sp2, sles9, and 11.1
Comment 9 Swamp Workflow Management 2009-04-15 15:14:01 UTC 
The SWAMPID for this issue is 23923.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/23923)
Comment 10 Marcus Meissner 2009-04-15 22:13:53 UTC 
Dirk just asked me why this is updated right now as it looked minor to him...


 -D_FORTIFY_SOURCE=2 should catch this overflow and abort ntpq in sle10,10.3-11.1,sle11.

It will also overflow at most 1 octal number in ascii and 1 '\0' if I see this correctly, which severly limits exploit potential even on non-protected older distros.



... wondering if we need to update this right now or at all, or at least at prio 87/moderate?
Comment 11 Thomas Biege 2009-04-16 06:01:41 UTC 
(In reply to comment #10)
> Dirk just asked me why this is updated right now as it looked minor to him...
> 
> 
>  -D_FORTIFY_SOURCE=2 should catch this overflow and abort ntpq in
> sle10,10.3-11.1,sle11.

The gcc protection technique never influenced our decissions made in the past for good reasons.


> It will also overflow at most 1 octal number in ascii and 1 '\0' if I see this
> correctly, which severly limits exploit potential even on non-protected older
> distros.
> 
> 
> 
> ... wondering if we need to update this right now or at all, or at least at
> prio 87/moderate?

NTP is UDP-based and can be spoofed easily even via firewalls. 
I must admit that I am not sure how important ntpq is but a correct time is important for Kerberos and other protocols that use session tokens (Cookies).

Of course there is no reason to create unappropriate workload therefore feel free to adjust the SWAMP prio to a level you want.
Comment 12 Thomas Biege 2009-04-29 14:57:11 UTC 
setting to VUL-1 and adding it to swamp's planned update list
Comment 13 Swamp Workflow Management 2009-05-18 22:08:41 UTC 
Update released for: ntp, ntp-debuginfo, ntp-debugsource, ntp-doc
Products:
SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Comment 14 Swamp Workflow Management 2009-05-18 22:09:03 UTC 
Update released for: xntp, xntp-doc
Products:
Novell-Linux-Desktop 9 (i386, x86_64)
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Comment 15 Swamp Workflow Management 2009-05-18 22:09:23 UTC 
Update released for: xntp, xntp-doc
Products:
SLE-DEBUGINFO 10-SP2 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP2 (i386, x86_64)
SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Comment 16 Dirk Mueller 2009-05-22 09:33:33 UTC 
now released.