Lucene search

佚名MYHACK58:62201681749

HistoryDec 03, 2016 - 12:00 a.m.

Doing things the NTP----CVE-2016-7434 vulnerability analysis-vulnerability warning-the black bar safety net

2016-12-0300:00:00

佚名

www.myhack58.com

0.965 High

EPSS

Percentile

99.6%

JSON

The NTP Protocol Analysis with CVE-2016-7434
About the client and the NTP server, the NTP Protocol interaction, the synchronous time of process I is no longer described in detail, with a pair of figure can be a brief description of the time synchronization process, in this process, the data take the NTP Protocol transmission, and the interaction with the server port is 123 port.
! [](/Article/UploadPic/2016-12/2016123165929745. png? www. myhack58. com)
Our download NTP-4.2. 8p8, by tar after decompression, with configure, make and make install to install, after installation, by./ ntpd-n-c [ntp. conf path]the method run ntpd, many Linux system comes with NTP, you need to switch to the NTPD directory implementation the directory of the NTP to ensure that the version is the problematic version.
! [](/Article/UploadPic/2016-12/2016123165929951. png? www. myhack58. com)
We take a look at the NTP Protocol format.
! [](/Article/UploadPic/2016-12/2016123165929641. png? www. myhack58. com)
About the NTP Protocol each field of meanings, online are explained, here I will not repeat them here, in the middle of this that relates to one Mode, it represents the work mode, here it is worth mentioning that in previous NTP Protocol, usually with the Mode7 of the monlist feature to respond to NTP requests, but due to the monlist vulnerability exists that can exploit this vulnerability to NTP amplification attack, which isDDoS, and later monlist feature is disabled, is changed Mode6 the mrulist characteristics, in order to avoid NTP amplification attacks, while this vulnerability is due to the mrulist.
We by CVE-2016-7434 the Payload to send a malformed packet, while packet capture analysis data.
!
You can see, the first byte is 16, convert to binary is 00010110, according to the Before for the NTP Protocol format of the analysis, the 0 and 1 bits represent the Leap Indicator when the value is 11 when the alarm state representing the time synchronization problem, the other is not processed, here is 00; then 2, 3, 4 bits are 010, representing the IS version, after the 5 -, 6 -, and 7-bit 110 represents the is Mode, here it is 6, representing the mrulist characteristics of the process.
CVE-2016-7434 vulnerability analysis
We under Linux with gdb attach method to attach ntpd, send a payload after a gdb capture to ntpd to crash.
! [](/Article/UploadPic/2016-12/2016123165929156. png? www. myhack58. com)
Through the bt command, back it out before the collapse of the stack call
__strlen_sse2_bsf () at …/sysdeps/i386/i686/multiarch/strlen-sse2-bsf. S:50
50…/sysdeps/i386/i686/multiarch/strlen-sse2-bsf. S: No such file or directory.
(gdb) bt
#0 __strlen_sse2_bsf () at …/sysdeps/i386/i686/multiarch/strlen-sse2-bsf. S:50
#1 0x080948f0 in estrdup_impl (str=0x0) at emalloc. c:128
#2 0x0805f9b3 in read_mru_list (rbufp=0x89d3dd8, restrict_mask=0)
at ntp_control. c:4041
#3 0x0806a694 in receive (rbufp=0x89d3dd8) at ntp_proto. c:659
#4 0x080598f7 in ntpdmain (argc=0, argv=0xbff16c94) at ntpd. c:1329
#5 0x0804af9b in main (argc=4, argv=0xbff16c84) at ntpd. c:392
You can see that in the#1 Position call emalloc. c estrdup_impl, the parameter str value is 0x0, a direct look at the emalloc. c in the corresponding portion of the code.
char *
estrdup_impl(
const char *str
#ifdef EREALLOC_CALLSITE
,
const char *file,
intline
#endif
)
{
char copy;
size_tbytes;
bytes = strlen(str) + 1;
Here if the str value is 0x0, then, in the strlen will read the 0x0 address of the location to store the value of length, this location is unreadable.
gdb-peda$ x/10x 0x0
0x0: Cannot access memory at address 0x0
Thus causing a denial of service occurs, in estrdup_impl before the call, the call to read_mru_list, this function is processing mrulist properties of the function, in this function call before the ntpdmain and receive function for receiving.
Take a look at read_mru_list processing mrulist characteristic function of the content, in ntp_control. c in the first 4034.
while (NULL != (v = ctl_getitem(in_parms, &val)) &&
! (EOV & v->flags)) {
int si;
if (! strcmp(nonce_text, v->text)) {
if (NULL != pnonce)
free(pnonce);
pnonce = estrdup(val);
Here in the pnonce variable assignment position called estrdup, that is, a problem occurs in the function call, then the val’s value is 0x0, the tracking read_mru_list, found in the function at the entrance declared the val variable after the while loop entry, and calls ctl_getitem function, where val as a parameter, after that estrdup function call, that is, ctl_getitem function, the val variable assignment.
Take a look at ctl_getitem a function of the content.
/

ctl_getitem - get the next data item from the incoming packet
*/
static const struct ctl_var *
ctl_getitem(
const struct ctl_var *var_list,
char **data
)
ctl_getitem a function of the content is from data packet to obtain the next block of data content, wherein the data value is what we care about val values, we dynamically track The bit val value acquisition process. First, in read_mru_list processing mrulist characteristic function of the logic entry under the Breakpoints tracing.
At the function Entrance, the first of May in the data packet to obtain the block name assignment.
const charnonce_text[] =“nonce”;
const charfrags_text[] =“frags”;
const charlimit_text[] =“limit”;

[1] [2] [3] [4] next