[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Dave Hart davehart at gmail.com
Fri Oct 9 01:13:50 UTC 2009


On Fri, Oct 9, 2009 at 12:11 AM, Danny Mayer <mayer at ntp.org> wrote:
> Dave Hart wrote:
>> There is no value in responding with INFO_ERR_FMT to requests with
>> incredible versions.  You keep harping on the need for these
>> responses, but you have yet to demonstrate it.  I've looked at the
>> ntpdc code as well as ntp_request.c and I'm convinced responding with
>> INFO_ERR_FMT for version < 1 or > 4 is not going to help
>> interoperability.
>
> This is wrong. In NTP V3 the version number is 3. If you try to
> interrogate a V4 ntpd server with V3 ntpdc you will get this error. Have
> you tried it?

A bit more than you, apparently.  If you log the version number seen
by that < 1 > 4 test, and issue a query with ntpdc, you'll notice the
version number is 2, not 4.  I'm confident without finding a xntpdc
that ntpdc v3 also sent mode 7 queries with version 2 in the header.

Cheers,
Dave Hart


More information about the security mailing list