SCAN: Core Impact ntpd Control Message Overflow
This signature detects the CORE Impact penetration testing tool using the ntpd control message overflow exploit against your network (this exploit is also detected by the NTP:ERROR:MSG_TOO_LONG anomaly). Because CORE Impact can chain one infected computer to another, other machines in the network might already be compromised. CORE Impact can be used legitimately to perform a network security audit of your network. However, if a network security audit is not in progress, this signature can indicate that a malicious attacker is using the CORE Impact tool to compromise your network.
Extended Description
NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'. On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers. Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host. If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host.
Affected Products
Cisco sc2200,Apple mac_os_x
Short Name
SCAN:CORE:NTPD-CTRL-MSG-OF
Severity
Info
Recommended
False
Recommended Action
None
Category
SCAN
Keywords
CVE-2001-0414 Control Core Impact Message Overflow bid:2540 ntpd
Release Date
12/14/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
UDP/123
False Positive
Rarely
Vendors
Sun
Hp
Cisco
Apple
Dave_mills
CVSS Score
10.0