tag:blogger.com,1999:blog-4838136820032157985.post1418713013537696540..comments2024-03-28T17:48:16.347-07:00Comments on Project Zero: Finding and exploiting ntpd vulnerabilitiesUnknownnoreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4838136820032157985.post-80123841326684772662017-09-25T07:41:13.932-07:002017-09-25T07:41:13.932-07:00It is mentioned that data is controlled on the sta...It is mentioned that data is controlled on the stack, but the origin of this data is not explained. What is the data that is controllable on the stack and where does it come from?CoconutHeadhttps://www.blogger.com/profile/18202153150997689944noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-70101403496194152152016-02-14T12:44:59.108-08:002016-02-14T12:44:59.108-08:00OK, figured it out :) Created the packet from hand...OK, figured it out :) Created the packet from hand, instead of using ntpq clientmarcinguyhttps://www.blogger.com/profile/16859579215311085876noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-4470220617638620512016-02-14T10:02:26.318-08:002016-02-14T10:02:26.318-08:00Actually, it didn't work. The biggest dlen in ...Actually, it didn't work. The biggest dlen in ctl_pudata() I was able to get was 466, but the global buffersize as I understand is 504 bytes.<br /><br />I tried to set a long variable name in order to trigger the overflow.<br /><br />:config setvar bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb = 1<br /><br />Than read it via<br /><br />:rv 0 sys_var_list<br /><br />It displays blank, but that's how stack looks like:<br /><br />(gdb) x/400x 0x684b0c<br />0x684b0c : 0x5f737973 0x5f726176 0x7473696c 0x656c223d<br />0x684b1c : 0x732c7061 0x74617274 0x702c6d75 0x69636572<br />0x684b2c : 0x6e6f6973 0x6f6f722c 0x6c656474 0x722c7961<br />0x684b3c : 0x64746f6f 0x2c707369 0x69666572 0x65722c64<br />0x684b4c : 0x6d697466 0x63742c65 0x6565702c 0x666f2c72<br />0x684b5c : 0x74657366 0x6572662c 0x6e657571 0x732c7963<br />0x684b6c : 0x6a5f7379 0x65747469 0x6c632c72 0x696a5f6b<br />0x684b7c : 0x72657474 0x6f6c632c 0x702c6b63 0x65636f72<br />0x684b8c : 0x726f7373 0x7379732c 0x2c6d6574 0x73726576<br />0x684b9c : 0x2c6e6f69 0x5f6b6c63 0x646e6177 0x732c7265<br />0x684bac : 0x765f7379 0x6c5f7261 0x2c747369 0x2c696174<br />0x684bbc : 0x7061656c 0x2c636573 0x69707865 0x6d2c65---Type to continue, or q to quit---<br />72<br />0x684bcc : 0x63746e69 0x6561642c 0x5f6e6f6d 0x73726576<br />0x684bdc : 0x2c6e6f69 0x74746573 0x6f656d69 0x79616466<br />0x684bec : 0x6363612c 0x5f737365 0x696c6f70 0x612c7963<br />0x684bfc : 0x6262622c 0x62626262 0x62626262 0x62626262<br />0x684c0c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c1c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c2c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c3c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c4c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c5c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c6c : 0x62626262 0x62626262 0x62626262 0x62626262<br />---Type to continue, or q to quit---<br />0x684c7c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c8c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684c9c : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684cac : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684cbc : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684ccc : 0x62626262 0x62626262 0x62626262 0x62626262<br />0x684cdc : 0x0a0d2262 0x00000000 0x00000000 0x00000000<br />0x684cec : 0x00000000 0x00000000 0x00000000 0x00000000<br />0x684cfc : 0x00000000 0x00000000 0x00000401 0x00000000<br />0x684d0c: 0x00000000 0x00000000 0x00000000 0x00000000<br />0x684d1c: 0x00000000 0x756e694c 0x00000078 0x00000000<br /><br /><br />How did you overflow it than?marcinguyhttps://www.blogger.com/profile/16859579215311085876noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-40745644593235629332016-02-11T10:38:06.953-08:002016-02-11T10:38:06.953-08:00I think I know how, via readvar sys_var_list while...I think I know how, via readvar sys_var_list while before setting long variables names or with long values. That seems to do the jobmarcinguyhttps://www.blogger.com/profile/16859579215311085876noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-19697899776700970072016-02-11T07:22:38.035-08:002016-02-11T07:22:38.035-08:00I checked the NTPd code and found out that it does...I checked the NTPd code and found out that it doesnt support fragmented Control Messages:<br /><br />ntpd/ntp_control.c<br /><br />Line 697:<br /><br /> /*<br /> * If the length is less than required for the header, or<br /> * it is a response or a fragment, ignore this.<br /> */<br /> if (rbufp->recv_length < CTL_HEADER_LEN<br /> || pkt->r_m_e_op & (CTL_RESPONSE|CTL_MORE|CTL_ERROR)<br /> || pkt->offset != 0) {<br /> DPRINTF(1, ("invalid format in control packet\n"));<br /> if (rbufp->recv_length < CTL_HEADER_LEN)<br /> numctltooshort++;<br /> if (pkt->r_m_e_op & CTL_RESPONSE)<br /> numctlinputresp++;<br /> if (pkt->r_m_e_op & CTL_MORE)<br /> numctlinputfrag++;<br /> if (pkt->r_m_e_op & CTL_ERROR)<br /> numctlinputerr++;<br /> if (pkt->offset != 0)<br /> numctlbadoffset++;<br /> return;<br /> }<br /><br /><br />My question is, how did you manage to set the variable to be big engough? I guess more than one packet, since I tried one with max value that one packet can fit and it isn't enough to overflow the buffer.<br /><br />marcinguyhttps://www.blogger.com/profile/16859579215311085876noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-45764618419323762082015-01-19T23:24:57.696-08:002015-01-19T23:24:57.696-08:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/10479858426518759419noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-2419717441344303272015-01-19T04:08:41.699-08:002015-01-19T04:08:41.699-08:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/10479858426518759419noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-71865132996837310512015-01-19T04:01:30.971-08:002015-01-19T04:01:30.971-08:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/10479858426518759419noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-2634913842937012042015-01-08T21:16:35.205-08:002015-01-08T21:16:35.205-08:00I am a bit new to ntp concept and I have done seve...I am a bit new to ntp concept and I have done several readings, but I am not able to understand how this is going to affect a ntp client. Please let me know. Thanks in advance.chaitanyahttps://www.blogger.com/profile/11817893830419939679noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-34001712352284420032015-01-08T12:46:02.984-08:002015-01-08T12:46:02.984-08:00The ntpd daemon runs as a peer (both client and se...The ntpd daemon runs as a peer (both client and server, with query types allowed defined by the configuration).Anonymoushttps://www.blogger.com/profile/00857273737818701484noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-63386323429283061372015-01-07T21:08:37.171-08:002015-01-07T21:08:37.171-08:00Is this attack on ntp server or ntp client? Please...Is this attack on ntp server or ntp client? Please let me know.chaitanyahttps://www.blogger.com/profile/11817893830419939679noreply@blogger.com