id: CVE-2019-6443 info: name: NTPsec > 1.1.3 - 'ctl_getitem' Out-of-Bounds Read author: pussycat0x,0x_Akoko severity: critical description: | NTPsec before 1.1.3 contains a stack-based buffer over-read caused by a bug in ctl_getitem in read_sysvars in ntp_control.c in ntpd, letting local or remote attackers read sensitive memory, exploit requires sending crafted control requests. impact: | Attackers can read sensitive memory contents, potentially leading to information disclosure or further exploitation. remediation: | Update to version 1.1.3 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-6443 - https://www.exploit-db.com/exploits/46175 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H cvss-score: 9.1 cve-id: CVE-2019-6443 cwe-id: CWE-125 epss-score: 0.47167 epss-percentile: 0.97738 cpe: cpe:2.3:a:ntpsec:ntpsec:*:*:*:*:*:*:*:* metadata: verified: true vendor: ntpsec product: ntpsec shodan-query: "ntpsec" tags: cve,cve2019,ntp,ntpsec,udp,passive,vkev javascript: - pre-condition: | isUDPPortOpen(Host, Port); code: | const c = require("nuclei/net"); const payload = "160203e80000000000000000"; const conn = c.Open('udp', `${Host}:${Port}`); conn.SendHex(payload); let resp = conn.RecvFullString(1024); const versionMatch = resp.match(/version="([^"]+)"/); let version = resp; if (versionMatch && versionMatch[1]) { let versionStr = versionMatch[1]; if (versionStr.indexOf('+') !== -1) { version = versionStr.split('+')[0].trim(); } else { version = versionStr.replace(/\s+\d{4}-\d{2}-\d{2}.*$/, '').trim(); } } Export(version); args: Host: "{{Host}}" Port: 123 matchers: - type: dsl dsl: - contains(response, "ntpsec") - compare_versions(version, '< 1.1.3') condition: and extractors: - type: regex name: version group: 1 regex: - 'ntpd ntpsec-([0-9.]+)' # digest: 4a0a0047304502207f280c770277d9f4629dafc2c9d27673a7aba91f6037ecd91dcdf996f52828fa022100fad740932679179096040dd2743e2909c3a5c3779d75cd25c7e8840d9081240b:922c64590222798bb761d5b6d8e72950