Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ntp_nak_to_the_future #19749

Merged
merged 3 commits into from
Jan 7, 2025
Merged

Fix ntp_nak_to_the_future #19749

merged 3 commits into from
Jan 7, 2025

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Dec 19, 2024
edited by jheysel-r7
Loading

This fixes the auxiliary/scanner/ntp/ntp_nak_to_the_future module which was broken in commit 5f88971 (landed in #8185). The issue was that when the BinData::Record instance is sent with the socket, the string representation of it was used instead of the packed binary. It should be calling #to_binar_s. This PR fixes the issue and documents how the module can be tested.

This was the only module that used the NTPSymmetric definition and it's been converted to instead use the new NTPHeader definition which adds more natural handing for NTPTimestamp and NTPShort fields. The NTPHeader definition was originally written for #19748 and these two PRs share common commits in their history for the new definition.

Other NTP modules could be broken and have not been tested. NTPSymmetric had the most overlap with the definition needed for timeroast, so that was the only one that was thoroughly reviewed.

Verification

  • Use the Dockerfile included in the module docs to start a vulnerable instance of the application
    • Build it with: docker build -t ntpd:4.2.8p3 .
    • Run it with: docker run --rm -it --name ntp-server -p 123:123/udp ntpd:4.2.8p3
  • Start msfconsole and use the module
  • Set the RHOSTS value as necessary
  • Run the module and see that the target is vulnerable

Demo

metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > run
[+] 192.168.159.128:123 - NTP - VULNERABLE: Accepted a NTP symmetric active association
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) >

@zeroSteiner zeroSteiner force-pushed the fix/mod/ntp_nak_to_the_future branch from f48e4a0 to 092ca5d Compare December 19, 2024 15:20
@zeroSteiner
Fix the ntp_nak_to_the_future module
cfb7207
@zeroSteiner
Remove the old NTPSymmetric model
a68b9dc 
It is no longer in use by any modules. It has been superseded by
NTPHeader.
@zeroSteiner zeroSteiner force-pushed the fix/mod/ntp_nak_to_the_future branch from 092ca5d to 5385b3d Compare December 20, 2024 13:57
@jheysel-r7 jheysel-r7 self-assigned this Jan 6, 2025
jheysel-r7
jheysel-r7 approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix @zeroSteiner! Everything looks good to me. Ran into a small issue setting up the target but have left suggestion fix. Let me know what you think.

Testing

msf6 > use ntp_nak_to_the_future

Matching Modules
================

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  auxiliary/scanner/ntp/ntp_nak_to_the_future  .                normal  No     NTP "NAK to the Future"


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ntp/ntp_nak_to_the_future

[*] Using auxiliary/scanner/ntp/ntp_nak_to_the_future
msf6 auxiliary(scanner/ntp/ntp_nak_to_the_future) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(scanner/ntp/ntp_nak_to_the_future) > set rport 123
rport => 123
msf6 auxiliary(scanner/ntp/ntp_nak_to_the_future) > run
[+] 127.0.0.1:123 - NTP - VULNERABLE: Accepted a NTP symmetric active association
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

documentation/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb.md Outdated Show resolved Hide resolved
@zeroSteiner zeroSteiner force-pushed the fix/mod/ntp_nak_to_the_future branch from 5385b3d to e5e0657 Compare January 7, 2025 14:14
@zeroSteiner zeroSteiner requested a review from jheysel-r7 January 7, 2025 14:54
@jheysel-r7 jheysel-r7 merged commit f475b9d into rapid7:master Jan 7, 2025
36 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

There was an issue with the ntp_nak_to_the_future module which was caused by when the BinData::Record instance was sent with the socket, the string representation of it was used instead of the packed binary. It should have been calling #to_binar_s. This fixes the issue with the auxiliary/scanner/ntp/ntp_nak_to_the_future module and documents how the module can be tested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
bug docs module rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zeroSteiner @jheysel-r7 @smcintyre-r7