[ntp:security] Authorized (not nopeer) IPs can create server associations with certain query

Matt Nordhoff mnordhoff at mn0.us
Mon Dec 4 15:29:51 UTC 2017


Hi again,

Do you have any news on this?

If so, will you share it? I'm terribly curious what the bug actually is. :-P

On Sun, Nov 12, 2017 at 9:23 PM, Harlan Stenn <stenn at nwtime.org> wrote:
> Hi Matt,
>
> NTPsec doesn’t communicate with us.
>
> Thanks for contacting us. We’ll dig.
>
> Sent from my iPhone
>
>> On Nov 12, 2017, at 2:56 AM, Matt Nordhoff <mnordhoff at mn0.us> wrote:
>>
>> Hi,
>>
>> To be honest, I first noticed this issue on a Pool server running
>> NTPsec. (I'm sorry.) I have since reproduced it -- partly -- on NTP
>> 4.2.8p10 by replaying a packet.
>>
>> I first emailed security at ntpsec.org 2017-10-24. I first sent them
>> pcaps 2017-11-08. I don't know if they have contacted you. They
>> haven't given me notable information at this time.
>>
>> I have a stratum 2 server running Ubuntu 16.04 and NTP 4.2.8p10.
>>
>> Certain weird packets from certain clients can cause ntpd to create
>> some sort of preemptable server association.
>>
>> I'm not sure what's happening. Maybe something weird with manycast
>> mode, i don't know. I'm not certain it's exploitable, but i think it
>> is.
>>
>> (I wonder if restrict notrust would help?)
>>
>> In NTP, restrict nopeer apparently usually stops anything from
>> happening: I've only successfully caused associations to be created
>> with "client" IPs that are currently or previously configured servers
>> and already whitelisted by restrict source.
>>
>> (In NTPsec, any IP can do it!)
>>
>> If the server has loose restricts, or an attacker can spoof their
>> source IP and knows what servers you're using, it can presumably be
>> exploited, but it would obviously be harder.
>>
>> Notably, a client can create multiple associations.
>>
>> As an example, i believe a single Pool server -- especially one a
>> running a customized NTP server -- could create numerous associations
>> and obtain undue influence overs its clients' clocks.
>>
>> In some cases the packets seem to trigger ntpd's 0 origin checks, but
>> other times they seem to work. (Unconfirmed speculation: Maybe the
>> packet creates 1 association, but also causes 1 packet from another
>> existing association for the same IP to be rejected.)
>>
>> In the real world, my Pool server in the Brazil zone gets this traffic
>> from a number of seemingly ordinary clients. (Reverse DNS looks like
>> random consumer ISP addresses.) They use ephemeral ports that aren't
>> running actual NTP servers, so the association is totally unusable and
>> is eventually removed. (Again, only NTPsec or [presumably] NTP with
>> "restrict default" without "nopeer" create associations at all.)
>>
>> pcap of a single packet from a Brazilian client:
>>
>> <https://mn0.us/71WFPp6JPy43QEdDEAqihb1/ntp7_2017-11-12_03:00:22_186.233.180.198_ntp.pcap>
>> (130 bytes)
>>
>> $ tcpdump -nttttvxr ntp7_2017-11-12_03:00:22_186.233.180.198_ntp.pcap
>> reading from file ntp7_2017-11-12_03:00:22_186.233.180.198_ntp.pcap,
>> link-type EN10MB (Ethernet)
>> 2017-11-12 03:00:22.676707 IP (tos 0x0, ttl 113, id 2423, offset 0,
>> flags [none], proto UDP (17), length 76)
>>    186.233.180.198.64094 > 45.33.103.94.123: NTPv1, length 48
>>        Server, Leap indicator:  (0), Stratum 3 (secondary reference),
>> poll 3 (8s), precision -23
>>        Root Delay: 0.360198, Root dispersion: 0.099517, Reference-ID:
>> 54.206.109.187
>>          Reference Timestamp:  3719442935.600897507 (2017/11/12 02:35:35)
>>          Originator Timestamp: 0.000000000
>>          Receive Timestamp:    3719444422.526398753 (2017/11/12 03:00:22)
>>          Transmit Timestamp:   3719444422.526416904 (2017/11/12 03:00:22)
>>            Originator - Receive Timestamp:  3719444422.526398753
>> (2017/11/12 03:00:22)
>>            Originator - Transmit Timestamp: 3719444422.526416904
>> (2017/11/12 03:00:22)
>>        0x0000:  4500 004c 0977 0000 7111 3bfb bae9 b4c6
>>        0x0010:  2d21 675e fa5e 007b 0038 355a 0c03 03e9
>>        0x0020:  0000 5c36 0000 197a 36ce 6dbb ddb2 31f7
>>        0x0030:  99d4 6b48 0000 0000 0000 0000 ddb2 37c6
>>        0x0040:  86c2 1199 ddb2 37c6 86c3 421c
>>
>> ntp.conf (with comments modified):
>>
>> <https://mn0.us/DXGMaQRVotwGnZwzXZE6p5x/ntp.conf> (3 KiB)
>>
>> Stuff from my NTP server after using Scapy to send it a number of
>> packets with that payload:
>>
>> mnordhoff at clover:~$ date && ntpq -c lpeers
>> Sun Nov 12 10:32:13 UTC 2017
>>     remote           refid      st t when poll reach   delay   offset  jitter
>> ==============================================================================
>> ntp-pool        .POOL.          16 p    -   64    0    0.000    0.000   0.000
>> time.nist.gov   .POOL.          16 p    -   64    0    0.000    0.000   0.000
>> ntp.ubuntu.com  .POOL.          16 p    -   64    0    0.000    0.000   0.000
>> 2.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
>> +six0.ntp3.mattn 128.59.0.245     2 u  849 1024  377   18.578   -0.515   0.477
>> #2604:a880:400:d 130.183.99.210   3 u  437 1024  377   41.530   -0.126   0.329
>> six1.ntp5.mattn .STEP.          16 u    - 1024    0    0.000    0.000   0.000
>> +ec2-54-243-186- 45.79.187.10     3 u   76 1024  377   31.163   -0.455   0.443
>> #six0.ntp7.mattn 35.73.197.144    2 u 113m 1024  300   18.627    0.142   0.068
>> #2600:1f16:ec6:e 209.51.161.238   2 u 1025 1024  377   34.927   -0.010   0.224
>> -tick.uh.edu     .GPS.            1 u 1037 1024  347   10.325   -1.544   0.432
>> *clock.fmt.he.ne .CDMA.           1 u  552 1024  377   37.490   -0.300   0.279
>> #bedast01.beaust 129.7.1.66       2 u  345 1024  377    1.343    1.487   1.195
>> +awesome.bytesta 216.218.254.202  2 u  265 1024  377    1.317   -0.439   0.370
>> #ntp.jtsage.com  127.67.113.92 2 u  862 1024  377    1.068    0.012   0.375
>> #dev.smatwebdesi 192.168.204.60   3 u  175 1024  377    1.251    0.766   0.958
>> #serenity.melanc 129.7.1.66       2 u  732 1024  377    0.332    0.360   0.440
>> #ntp.quintex.com .CDMA.           1 u  436 1024  377   39.356    0.112   0.507
>> +six0.ntp7.mattn 35.73.197.144    2 u  184 1024  377   18.603   -0.390   0.345
>> +six0.ntp7.mattn 35.73.197.144    2 u  210 1024  377   21.952   -0.190   0.237
>> #four0.jane.matt 35.73.197.144    2 u   39   64  177   21.861   -0.270   0.292
>>
>> (The last 3 associations were created by Scapy.)
>>
>> mnordhoff at clover:~$ date && ntpq -c "rv &9"
>> Sun Nov 12 10:32:59 UTC 2017
>> associd=59303 status=951a conf, reach, sel_backup, 1 event, sys_peer,
>> srcadr=six0.ntp7.mattnordhoff.net, srcport=123,
>> dstadr=2600:3c00:e000:15a::, dstport=123, leap=00, stratum=2,
>> precision=-22, rootdelay=1.434, rootdisp=21.133, refid=35.73.197.144,
>> reftime=ddb28603.2721672c  Sun, Nov 12 2017  8:34:11.152,
>> rec=ddb2874b.b2db92da  Sun, Nov 12 2017  8:39:39.698, reach=300,
>> unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
>> keyid=0, offset=0.142, delay=18.627, dispersion=19.100, jitter=0.068,
>> xleave=0.170,
>> filtdelay=    18.77   18.63   18.71   18.61   18.58   18.78   18.70   18.64,
>> filtoffset=    0.07    0.14    0.07    0.07    0.06    0.23    0.15    0.09,
>> filtdisp=      0.00   15.74   31.43   47.25   62.73   78.21   94.31  110.36
>> mnordhoff at clover:~$ date && ntpq -c "rv &19"
>> Sun Nov 12 10:33:08 UTC 2017
>> associd=59325 status=1314 reach, sel_outlier, 1 event, reachable,
>> srcadr=six0.ntp7.mattnordhoff.net, srcport=123,
>> dstadr=2600:3c00:e000:15a::, dstport=123, leap=00, stratum=2,
>> precision=-22, rootdelay=1.312, rootdisp=39.841, refid=35.73.197.144,
>> reftime=ddb29aa8.271ad31b  Sun, Nov 12 2017 10:02:16.152,
>> rec=ddb2a0f5.b2cd5cb2  Sun, Nov 12 2017 10:29:09.698, reach=377,
>> unreach=1, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
>> keyid=0, offset=-0.390, delay=18.603, dispersion=19.365, jitter=0.345,
>> xleave=0.174,
>> filtdelay=    18.65   18.60   18.70   18.70   18.59   18.59   18.78   18.72,
>> filtoffset=   -0.29   -0.39   -0.40   -0.08   -0.01   -0.03    0.09    0.08,
>> filtdisp=      0.00   16.22   31.73   47.55   63.08   78.90   94.83   95.84
>> mnordhoff at clover:~$ date && ntpq -c "rv &20"
>> Sun Nov 12 10:33:21 UTC 2017
>> associd=59326 status=1314 reach, sel_outlier, 1 event, reachable,
>> srcadr=six0.ntp7.mattnordhoff.net, srcport=123, dstadr=2600:3c00::2:b401,
>> dstport=123, leap=00, stratum=2, precision=-22, rootdelay=1.312,
>> rootdisp=39.444, refid=35.73.197.144,
>> reftime=ddb29aa8.271ad31b  Sun, Nov 12 2017 10:02:16.152,
>> rec=ddb2a0db.b3a3de58  Sun, Nov 12 2017 10:28:43.701, reach=377,
>> unreach=1, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
>> keyid=0, offset=-0.190, delay=21.952, dispersion=15.056, jitter=0.237,
>> xleave=0.120,
>> filtdelay=    21.95   22.05   21.95   21.92   21.94   21.88   22.04   21.97,
>> filtoffset=   -0.19   -0.38   -0.33    0.04    0.10    0.01    0.12    0.06,
>> filtdisp=      0.00   15.62   30.98   47.24   63.42   78.98   94.52   95.52
>> mnordhoff at clover:~$ date && ntpq -c "rv &21"
>> Sun Nov 12 10:33:22 UTC 2017
>> associd=59327 status=1514 reach, sel_backup, 1 event, reachable,
>> srcadr=four0.jane.mattnordhoff.net, srcport=123, dstadr=45.79.1.70,
>> dstport=123, leap=00, stratum=2, precision=-22, rootdelay=1.312,
>> rootdisp=34.927, refid=35.73.197.144,
>> reftime=ddb29aa8.271ad31b  Sun, Nov 12 2017 10:02:16.152,
>> rec=ddb2a186.87cee83c  Sun, Nov 12 2017 10:31:34.530, reach=177,
>> unreach=7, hmode=3, pmode=4, hpoll=10, ppoll=6, headway=0,
>> flash=01 pkt_dup, keyid=0, offset=-0.270, delay=21.861,
>> dispersion=77.059, jitter=0.292, xleave=0.139,
>> filtdelay=    21.86   21.92   21.84   21.82   21.88   21.94   21.82    0.00,
>> filtoffset=   -0.27   -0.38   -0.23    0.08    0.05    0.11    0.09    0.00,
>> filtdisp=      0.00   15.92   32.18   48.24   64.22   65.19   66.20 16000.0
>>
>> NTP's syslog messages:
>>
>> Nov 12 07:55:54 clover ntpd[4737]: 45.33.103.94 local addr 45.79.1.70 -> <null>
>> Nov 12 08:00:14 clover ntpd[4737]: 45.33.103.94 local addr 45.79.1.70 -> <null>
>> Nov 12 08:10:48 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00::2:b401 -> 2600:3c00:e000:15a::
>> Nov 12 08:11:31 clover ntpd[4737]: 45.33.103.94 local addr 45.79.1.70 -> <null>
>> Nov 12 08:19:45 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00:e000:15a:: -> <null>
>> Nov 12 08:37:57 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00::2:b401 -> 2600:3c00:e000:15a::
>> Nov 12 08:38:02 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00::2:b401 -> 2600:3c00:e000:15a::
>> Nov 12 08:38:07 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00::2:b401 -> 2600:3c00:e000:15a::
>> Nov 12 08:41:28 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00::2:b401 -> 2600:3c00:e000:15a::
>> Nov 12 08:41:29 clover ntpd[4737]: receive: Drop 0 origin timestamp
>> from server at 2600:3c02::13:5230 xmt 0xddb237c6.86c3421c
>> Nov 12 08:41:30 clover ntpd[4737]: receive: Drop 0 origin timestamp
>> from server at 2600:3c02::13:5230 xmt 0xddb237c6.86c3421c
>> Nov 12 08:47:05 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00:e000:15a:: -> <null>
>> Nov 12 08:47:47 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00:e000:15a:: -> <null>
>> Nov 12 08:47:50 clover ntpd[4737]: 2600:3c02::13:5230 local addr
>> 2600:3c00:e000:15a:: -> <null>
>> Nov 12 08:49:11 clover ntpd[4737]: receive: Drop 0 origin timestamp
>> from server at 2600:3c02::13:5230 xmt 0xddb237c6.86c3421c
>> Nov 12 08:57:27 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb28b77.ae070b4f does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb28b77.b06f9d59
>> Nov 12 09:10:10 clover ntpd[4737]: receive: Drop 0 origin timestamp
>> from server at 2600:3c02::13:5230 xmt 0xddb237c6.86c3421c
>> Nov 12 09:14:48 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb28f88.ae02ddad does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb28f88.b074ed27
>> Nov 12 09:32:42 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb293ba.ae02ed68 does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb293ba.b079bf05
>> Nov 12 09:50:16 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb297d8.ae02452d does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb297d8.b058211b
>> Nov 12 10:07:53 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb29bf9.ae08e00f does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb29bf9.b05331aa
>> Nov 12 10:25:32 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb2a01c.ae02b238 does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb2a01c.b05f2c19
>> Nov 12 10:29:50 clover ntpd[4737]: 45.33.103.94 local addr 45.79.1.70 -> <null>
>> Nov 12 10:31:34 clover ntpd[4737]: receive: Drop 0 origin timestamp
>> from server at 45.33.103.94 xmt 0xddb237c6.86c3421c
>> Nov 12 10:42:54 clover ntpd[4737]: receive: Unexpected origin
>> timestamp 0xddb2a42e.ae0295d4 does not match aorg 0000000000.00000000
>> from server at 2600:3c02::13:5230 xmt 0xddb2a42e.b05ac12c
>>
>> pcaps I've sent NTPsec:
>>
>> <https://mn0.us/g82RmQ8uVbWFpEGoywoJdk/ntp7_2017-11-08_09:35_143.137.65.13_ntp.pcap>
>> (9 KiB)
>>
>> <https://mn0.us/L4Hpt2fbGtnGYr1GnKLY7cj/ntp7_2017-11-08_10_187.1.57.195_ntp.pcap>
>> (66 KiB)
>>
>> <https://mn0.us/rD9DouTTX97LidW49gHvFdf/ntp7_2017-11-08_15_200.199.238.226_ntp.pcap>
>> (1 KiB)
>>
>> Some of them include traffic from my NTPsec ntpd, and the first one
>> may be incomplete because I ran out of disk space for a few minutes.
>> (That was fun.)
>>
>> Cheers :-/
-- 
Matt Nordhoff


More information about the security mailing list