Talos IntelligenceTALOS-2016-0073Network Time Protocol ntpq Special Character Filtering Vulnerability
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
73.1%
Summary
The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Only back slash and forward slash are currently filtered out. There are other special characters that are allowed in the filename which can cause issues during globbing.
In addition to special characters that are passed straight through to the filename, strftime() is called on format specifiers defined by the ntpq user. The %n and %t format specifiers insert a newline and a tab, respectively, into the filename. These could have unintended consequences during globbing as well.
Note that the ntpq user is required to authenticate to run this command.
Tested Versions
ntp 4.2.8p3
NTPsec aa48d001683e5b791a743ec9c575aaf7d867a2b0c
Product URLs
<http://www.ntp.org>
<http://www.ntpsec.org/>
CVSS Score
CVSSv2: 3.6 - AV:N/AC:H/Au:S/C:N/I:P/A:P
CVSSv3: 4.4 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
Details
For instance, dash can be the first character in a filename. So if the ntpq user saves the config to a file named “-rf”, an admin on the ntp server could run “rm *” in the directory holding that file and the command would really be “rm -rf *” after globbing. This is an extreme and unlikely example, but there are any number of similar issues that could occur with commands an admin would likely run with wildcards from the config directory.
Recommended Fix
The save_config() function in ntp_control.c should filter out special characters with the exception of a small number that normally get used in filenames: ._- (dot, underscore, and dash). Filenames should not be allowed to start with these special characters. Also, the %n and %t format specifiers should be disallowed to avoid whitespace in a filename. A more conservative approach would be to completely remove the call to strftime() in case there are other vulnerabilities with strftime() that could be exploited by an ntpq user.
Timeline
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
73.1%