7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.966 High
EPSS
Percentile
99.5%
Recently, the ntp’s official website released a Update Patch:
<http://support.ntp.org/bin/view/Main/SecurityNotice>
A total of 6 vulnerabilities 4 CVE number, both of Google Security Team found and submitted.
Wherein the CVE-2 0 1 4-9 2 9 5 includes a 3 stack overflow: a
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295>
This article from the source code perspective, these three stack overflow, respectively, what is the possibility of using the lift right.
Note: the reference to a vulnerability of the old version is ntp-4.2. 6p5
First, about the configure()function of stack overflow, the website DESCRIPTION is as follows:
! [t01d31fb18692ac507a. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 1 5 6. png)
We look at 1 2 on 1 2 September patch content
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g
! [t0180bac9382d7cc886. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 8 1 3. png)
In the memcpy function, added check data_count is greater than remote_config. buffer length logic.
That is to say, the patch before this memcpy is likely to overflow. The destination address remote_config. buffer is in the stack?
! [t01b242106304a5d6ac. png](/Article/UploadPic/2014-12/2 0 1 4 1 2 2 5 1 1 1 6 5 6 4 4 4. png)
Here in ntp_config. h