[ntp:security] reproducing mode 7 ping pong

Dave Hart davehart at gmail.com
Mon Oct 12 16:33:38 UTC 2009


Last night when Harlan was looking for an exploit script for bug
1331's mode 7 response ping-pong between two servers I made a tiny
patch to ntpd to have it exploit itself and another ntpd on command.
If you want to see the storm yourself I can provide the patch.  It
hijacks the processing of ntpdc -c addtrap (which requires
authentication) and sends a mode 7 response to port 123 of the
requesting address instead of whatever port ntpdc used.  With that
patch running on psp-fb2, I ran:

ntpdc -c "addtrap 1.1.1.1" psp-fb2

on psp-fb1, provided the correct keyid and password, and watched ntpdc
time out waiting for the response that would never come.  Here's a
snippet of syslog entries from the time of my test:

Oct 12 07:36:33 psp-fb1 ntpd[19361]: process_private: INFO_ERR_FMT:
test 1 failed, pkt from 149.20.54.230
Oct 12 07:37:04 psp-fb1 last message repeated 92288 times
Oct 12 07:38:17 psp-fb1 last message repeated 219710 times

Cheers,
Dave Hart


More information about the security mailing list