Talos Vulnerability Report


Network Time Protocol ntpq Buffer Overflow Vulnerability

January 19, 2016
CVE Number


CERT VU#357792


ntpq contains a buffer overflow. nextvar() executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes.

Tested Versions

ntp 4.2.8p3
NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92

Product URLs

(http://www.ntp.org)[http://www.ntp.org] (http://www.ntpsec.org/)[http://www.ntpsec.org/]

CVSS Score

CVSSv2: 3.7 - AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSSv3: 5.6 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L


This can be exploited by the following call to the addvar command in ntpq:

	ntpq -c "addvar iiii<500 more i's>"

The argument will be truncated to 503 bytes, but name is only 256 bytes. As long as no spaces, commas, equal signs or carriage returns are in the argument, the entire 503 bytes will be memcpy()’d in to name. There are several other functions that call nextvar() which could be used for the same type of exploit.

For the purpose of reproducing this, the system’s buffer overflow protection scheme (e.g. fortify source) could affect whether an actual error is seen.

This could be exploited by a malicious user in a context wherein ntpq is run by another script that reads variable names from an untrusted source such as a user or environment variable.


Jonathan Gardner