admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-14 06:33:24 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a4e11c2f2fd7c9f4c357b525eeeb6ee00a8df3aa
nuclei-templates/javascript/cves/2019/CVE-2019-6443.yaml
ghost bac0dcc8cd chore: sign templates 🤖
2025-12-17 05:44:08 +00:00

70 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2019-6443
info:
name: NTPsec > 1.1.3 - 'ctl_getitem' Out-of-Bounds Read
author: pussycat0x,0x_Akoko
severity: critical
description: |
NTPsec before 1.1.3 contains a stack-based buffer over-read caused by a bug in ctl_getitem in read_sysvars in ntp_control.c in ntpd, letting local or remote attackers read sensitive memory, exploit requires sending crafted control requests.
impact: |
Attackers can read sensitive memory contents, potentially leading to information disclosure or further exploitation.
remediation: |
Update to version 1.1.3 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-6443
- https://www.exploit-db.com/exploits/46175
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.1
cve-id: CVE-2019-6443
cwe-id: CWE-125
epss-score: 0.31557
epss-percentile: 0.9661
cpe: cpe:2.3:a:ntpsec:ntpsec:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: ntpsec
product: ntpsec
shodan-query: "ntpsec"
tags: cve,cve2019,ntp,ntpsec,udp,passive,vkev
javascript:
- pre-condition: |
isUDPPortOpen(Host, Port);
code: |
const c = require("nuclei/net");
const payload = "160203e80000000000000000";
const conn = c.Open('udp', `${Host}:${Port}`);
conn.SendHex(payload);
let resp = conn.RecvFullString(1024);
const versionMatch = resp.match(/version="([^"]+)"/);
let version = resp;
if (versionMatch && versionMatch[1]) {
let versionStr = versionMatch[1];
if (versionStr.indexOf('+') !== -1) {
version = versionStr.split('+')[0].trim();
} else {
version = versionStr.replace(/\s+\d{4}-\d{2}-\d{2}.*$/, '').trim();
}
}
Export(version);
args:
Host: "{{Host}}"
Port: 123
matchers:
- type: dsl
dsl:
- contains(response, "ntpsec")
- compare_versions(version, '< 1.1.3')
condition: and
extractors:
- type: regex
name: version
group: 1
regex:
- 'ntpd ntpsec-([0-9.]+)'
# digest: 490a004630440220231d3d4ca7e39a82e8c396c1d6c94bb7dc048a24f98e0c58338fa96a35ff03450220140f15ca3c83efdd543a1ed73b3d3ba89f79186c9682f84124055c8f359a6aeb:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink