Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add modules for more NTP amplification attacks -- R7-2014-12 #3696

merged 12 commits into from Aug 25, 2014


None yet
2 participants
Copy link

commented Aug 25, 2014

As described in:

The changes here can be summarized as:

  • Add a new mixin for detecting/proving traffic amplification flaws (with unit tests)
  • Add modules covering 5 of the 6 vulnerabilities described above
  • Update ntp_monlist to utilize UDPScanner and various NTP/etc improvements, aligning the auxiliary/scanner/ntp/ modules more


In general, any system that is vulnerable to CVE-2013-5211 (MON_GETLIST_1) is likely also vulnerable to all of these, however to the best of my knowledge only variants are actually vulnerable. I have tested this against NTP versions as old as 4.2.2 and as new as 4.2.7p465 released 08/23/2014, and in all instances I tested properly secured systems (disable querying, disable mode 7) as well as improperly secured systems.

jhart-r7 added some commits Aug 9, 2014

Initial commit of modules for NTP vulns described in R7-2014-12
Not entirely functional or polished, but mostly working
Gut admin functions from R7-2014-12 NTP modules
None of these are admin modules.  All of that stuff should eventually go
in auxiliary/admin
Only discard monlist replies that are impossibly short
This fixes the case where if a monlist reply only includes one peer

@wvu-r7 wvu-r7 added module labels Aug 25, 2014

@wvu-r7 wvu-r7 self-assigned this Aug 25, 2014

@wvu-r7 wvu-r7 merged commit 9f9f28c into rapid7:master Aug 25, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed

wvu-r7 added a commit that referenced this pull request Aug 25, 2014

Land #3696, pile of NTP DRDoS 0days
Dr. DoS in da house?

This comment has been minimized.

Copy link

commented Aug 25, 2014

Added this PR as a tentative reference and added a disclosure date in 7a76efa.

@jhart-r7 jhart-r7 deleted the jhart-r7:ntp_r7-2014-12 branch Aug 25, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.