Stephen Roettger, Neel Mehta

The attacker wants to take control over the victim's computer.

The victim is running NTPD. The NTPD service is used for time synchronization. There is a buffer overflow vulnerability in the code that reads and outputs variables on NTPD. By default, the service only permits requests from the local computer, and requires a key to issue commands such as setting configuration variables. The attacker needs to know the key and also be able to send packets from a local IP address for the commands to be accepted by NTPD.

The attacker first sends packets to the victim claiming they come from the same computer using IPv6 local address. Most Operating Systems prevent spoofing of the IPv4 local loopback address in incoming packets, but the IPv6 local address isn't blocked. The attacker also needs to find the key to be able to send configuration commands to exploit the buffer overflow. To do so, the attacker calculates by brute-force the 31 bits PRNG seed from a value sent by the NTPD service when asking for the time, which is possible because the key is calculated from the same random seed. Once the attacker has the right seed, he uses it to calculate the key, and send a packet impersonating the local machine which allows it to exploit the buffer overflow.
About In Security Bugs Gallery you will find drawings of different stories inspired by software security vulnerabilities.
Creative Commons License