CVE-2015-7975
CERT VU#357792
ntpq contains a buffer overflow. nextvar() executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes.
ntp 4.2.8p3
NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92
(http://www.ntp.org)[http://www.ntp.org] (http://www.ntpsec.org/)[http://www.ntpsec.org/]
CVSSv2: 3.7 - AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSSv3: 5.6 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
This can be exploited by the following call to the addvar command in ntpq:
ntpq -c "addvar iiii<500 more i's>"
The argument will be truncated to 503 bytes, but name is only 256 bytes. As long as no spaces, commas, equal signs or carriage returns are in the argument, the entire 503 bytes will be memcpy()’d in to name. There are several other functions that call nextvar() which could be used for the same type of exploit.
For the purpose of reproducing this, the system’s buffer overflow protection scheme (e.g. fortify source) could affect whether an actual error is seen.
This could be exploited by a malicious user in a context wherein ntpq is run by another script that reads variable names from an untrusted source such as a user or environment variable.
Jonathan Gardner