Excavations and the use of ntpd vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201557736
Type myhack58
Reporter 佚名
Modified 2015-01-06T00:00:00


0x01 description

A few months ago, I decided to start doing fuzzing it. I chose the Network Time Protocol the Network Time Protocol, NTP is the reference implementation of ntpd as my first target, because I have NTP some of the background knowledge, while this Protocol seems very simple, can be very good to learn fuzzing it. Also, ntpd is available for many platforms, has been widely used, is the OS X default installation of the part.

When viewing the source code to better understand the Protocol, I noticed that its processing than I expected to be much more complicated. In addition to the time synchronized data packet, ntpd supports symmetric and asymmetric(Autokey authentication and query for daemon statistics or configuration changes of private control mode package if I'm not mistaken, this is the ntpdc and ntpq Protocol are mentioned. I'm in the process Autokey Protocol message code found a bug, so decided to dig deeper, and to other parts of the manual code review. Eventually found a CVE-2 0 1 4-9 2 9 5 the vulnerability and wrote my first OS X exploits, the following I will be described in detail.

Long story short, in the conventional configuration, the local network of the attacker by forging::1 The source of the IPv6 packets can trigger a global buffer overflow. If your ntpd has not hit the patch, then in your configuration file for each limit line the restrict line to add the nomodify or noquery, even if it is localhost.

That's enough, let's Skip to the details

0x02 vulnerability

The most serious is a buffer overflow vulnerability exists in the processing of the control data packet of the code, in OS X Mavericks can be successfully utilized. If the control mode of the response data exceeds the storage for their buffer size will be split, its implementation code as follows:











1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2




constchar *dp,

unsigned int dlen,

int bin / set to 1 when data is binary /





  • Save room for trailing junk


if (dlen + overhead + datapt > dataend) {


  • Not enough room in this one, flush it out.




memmove((char *)datapt, dp, (unsigned)dlen);

datapt += dlen;

datalinelen += dlen;



[1] [2] [3] [4] [5] [6] [7] [8] next