[ntp:security] reproducing mode 7 ping pong

Dave Hart davehart at gmail.com
Mon Oct 12 16:33:38 UTC 2009

Last night when Harlan was looking for an exploit script for bug
1331's mode 7 response ping-pong between two servers I made a tiny
patch to ntpd to have it exploit itself and another ntpd on command.
If you want to see the storm yourself I can provide the patch.  It
hijacks the processing of ntpdc -c addtrap (which requires
authentication) and sends a mode 7 response to port 123 of the
requesting address instead of whatever port ntpdc used.  With that
patch running on psp-fb2, I ran:

ntpdc -c "addtrap" psp-fb2

on psp-fb1, provided the correct keyid and password, and watched ntpdc
time out waiting for the response that would never come.  Here's a
snippet of syslog entries from the time of my test:

Oct 12 07:36:33 psp-fb1 ntpd[19361]: process_private: INFO_ERR_FMT:
test 1 failed, pkt from
Oct 12 07:37:04 psp-fb1 last message repeated 92288 times
Oct 12 07:38:17 psp-fb1 last message repeated 219710 times

Dave Hart

More information about the security mailing list