join
donate

NTP Bug 3382

NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)

  • Date Resolved: 21 Mar 2017
  • References: Sec 3382 / CVE-2017-6459 / VU#325339
  • Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
  • CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
  • CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
  • Summary: The Windows installer for NTP calls strcpy() with an argument that specifically contains multiple null bytes. strcpy() only copies a single terminating null character into the target buffer instead of copying the required double null bytes in the addKeysToRegistry() function. As a consequence, a garbage registry entry can be created. The additional arsize parameter is erroneously set to contain two null bytes and the following call to RegSetValueEx() claims to be passing in a multi-string value, though this may not be true.
  • Mitigation:
  • Credit: This weakness was discovered by Cure53.


This topic: Main > SecurityNotice > NtpBug3382
Topic revision: r1 - 2017-03-22 - 01:35:54 - HarlanStenn
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback