Talos Vulnerability Report

TALOS-2015-0054

Network Time Protocol Trusted Keys Memory Corruption Vulnerability

October 21, 2015

CVE Number

CVE-2015-7849

Description

An exploitable use-after-free vulnerability exists in the password management functionality of the Network Time Protocol. A specially crafted key file could cause a buffer overflow resulting in memory corruption. An attacker could provide a malicious password file to trigger this vulnerability.

Tested Versions

ntp 4.2.8p2

Product URLs

<http://www.ntp.org>

Details

The function authdelkeys() will free all the keys that are used for user authentication. In the case of normal keys, they will also be removed from the list of keys. However in the case of trusted keys, the memory holding the keys will be freed but the pointer to that memory location will not be set to NULL.

This is the code at line 598 in authkeys.c:

	if (KEY_TRUSTED & sk->flags) {
		if (sk->secret != NULL) {
			memset(sk->secret, '\0', sk->secretsize);
			free(sk->secret);
		}
		sk->secretsize = 0;
		sk->lifetime = 0;
	} else {

Since the key is still in the linked list it will simply be copied to at line 541 in authkeys.c:

    for (sk = *bucket; sk != NULL; sk = sk->hlink) {
        if (keyno == sk->keyid) {
            sk->type = (u_short)keytype;
            secretsize = len;
            sk->secretsize = (u_short)secretsize;
#ifndef DISABLE_BUG1243_FIX
            memcpy(sk->secret, key, secretsize);

Reuse of a previous buffer can lead to inconsistencies in authentication tokens or memory corruption.

Credit

Yves Younan of Cisco Talos

Vulnerability Reports Next Report

TALOS-2015-0055

Previous Report

TALOS-2015-0052