During a recent vulnerability assessment for a customer, I ran across an interesting web server while enumerating network enabled devices. Navigating to the web server presented the management interface for a Meinberg NTP Time Server. This particular hardware appliance was used to provide an accurate time source for time-sensitive applications and hardware components while disconnected from the internet. Given its function, the device had network connectivity to almost every other device on the network, an ideal target. Visiting the default web page redirects the user to a standard login page that is produced by a binary located in cgi-bin. This binary appears to be responsible for processing all incoming web requests and producing their subsequent responses. With this in mind, I decided to ssh into the device and pull down the CGI binary for a closer look.

Opening the “main” CGI application up in IDA Pro confirmed my suspicions that the binary was essentially a custom web server; processing each request and manually constructing responses and HTML pages. As is my usual tendency when approaching custom applications, I began searching for the functions responsible for parsing the incoming request parameters. Once I located the parsing function, I found code that could be potentially vulnerable to a buffer overflow. Pseudo-code for the vulnerable code is listed below.