SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

NTP Daemon decodearr Function Buffer Overflow (Mar 23, 2018)


Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP's has a native application implementation, ntpq, which can be accessed from command line.

A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.

The format of the NTP message data has been specified in rfc1305:

Leap Indicator: 2 bits 
Version Number: 3 bits 
Mode: 3 bits Message Mode
Response Bit: 1 Bit (0x0/0x01 for requests/responses)
Error Bit: 1 Bit
More Bit: 1 Bit
Operation Code: 5 bits
Sequence: 16 bits
Status: 16 bits
Association ID: 16 bits
Offset: 16 bits
Count: 16 bits
Data: key-value format data

The data section is represented in the following format:

key = value1 value2 .... valueN (array of values)

When handling the request's data section, the function decodearr() used a 80 bytes fixed length buffer, which is a local variable allocated in stack. If the request is longer than 79 bytes (as shown in the figure below), a typical stack overflow will occur.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13276: NTP Daemon decodearr Function Buffer Overflow

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.6 | S2MSW04