Tuesday, October 16, 2012

Pentest Scripts: Verifying NTP Reserved Mode Denial of Service

By Gursev Singh Kalra.

I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. The issue comes up when one NTP daemon queries another with the MODE_PRIVATE flag set:



If the target NTP server provides a response, it's vulnerable:



A denial of service condition could happen if an attacker spoof's the IP of a vulnerable NTP server, then sends a NTP query with the MODE_PRIVATE flag set. The two NTP servers enter a continuous loop, sending MODE_PRIVATE queries back and forth. Metasploit’s auxiliary module auxiliary/dos/ntp/ntpd_reserved_dos demonstrates this issue, however it also executes the vulnerability so I wrote my own Ruby script to assess the remote server.

Download:

 
#Author: Gursev Singh Kalra
require 'socket'
TIMEOUT = 5 

if(ARGV.count != 1)
 puts "[-] Target host not provided. Usage: ntp.rb "
 exit
end

target_server = ARGV[0]
target_port = 123

socket = nil
response = nil

begin
 test_string = "\x97\x00\x00\x00\xAA\x00\x00\x00"
 socket = UDPSocket.open
 socket.send(test_string, 0, target_server, target_port)
 if select([socket], nil, nil, TIMEOUT)
  response = socket.recvfrom(10)
 end
rescue (IOError ex)
 puts ex.to_s
ensure
 socket.close if(socket)
end

if(response && response[0].index("\x97\x00\x00\x00"))
 puts "[+] Vulnerable to NTP Mode 7 Request Denial Of Service"
else
 puts "[-] Not vulnerable to NTP Mode 7 Request Denial Of Service"
end


Here's what the tool's output looks like:



Great minds...

After I wrote this script I passed it on to a co-worker, Brad Antoniewicz, and to my suprise, I discovered that he actually wrote the same script, but in python! So we decided to throw up all of our scripts on GitHub to help avoid and future duplication.

Here are a bunch of pentest scripts that help speed up manual validation of vulnerabilities and the you can potentially leverage the outputs for further attack.


No comments:

Post a Comment

Post a Comment