Vulnerabilities > CVE-2004-0789

Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet.

Vulnerable Configurations

Part	Description	Count
Application	Delegate Delegate Delegate 8.9.2 Delegate Delegate 8.3.3 Delegate Delegate 8.4.0 Delegate Delegate 7.8.0 Delegate Delegate 8.3.4 Delegate Delegate 8.5.0 Delegate Delegate 7.8.1 Delegate Delegate 8.9.1 Delegate Delegate 7.9.11 Delegate Delegate 7.7.1 Delegate Delegate 7.7.0 Delegate Delegate 8.9.4 Delegate Delegate 8.9.5 Delegate Delegate 8.9 Delegate Delegate 7.8.2 Delegate Delegate 8.9.3	16
Application	Qbik Qbik Wingate 6.0.1_Build_993 Qbik Wingate 6.0 Qbik Wingate 6.0.1_Build_995 Qbik Wingate 4.0.1 Qbik Wingate 3.0 Qbik Wingate 4.1_Beta_A	6
Application	Dnrd Dnrd Dnrd 2.5 Dnrd Dnrd 2.9 Dnrd Dnrd 2.3 Dnrd Dnrd 1.1 Dnrd Dnrd 1.3 Dnrd Dnrd 1.2 Dnrd Dnrd 2.1 Dnrd Dnrd 2.7 Dnrd Dnrd 2.6 Dnrd Dnrd 2.8 Dnrd Dnrd 1.4 Dnrd Dnrd 2.4 Dnrd Dnrd 2.2 Dnrd Dnrd 1.0 Dnrd Dnrd 2.10 Dnrd Dnrd 2.0	16
Application	Posadis Posadis Posadis 0.50.4 Posadis Posadis 0.60.0 Posadis Posadis 0.50.7 Posadis Posadis 0.50.6 Posadis Posadis M5Pre2 Posadis Posadis M5Pre1 Posadis Posadis 0.50.8 Posadis Posadis 0.50.5 Posadis Posadis 0.50.9 Posadis Posadis 0.60.1	10
Application	Maradns Maradns Maradns 0.8.05 Maradns Maradns 0.5.30 Maradns Maradns 0.5.29 Maradns Maradns 0.5.31 Maradns Maradns 0.5.28	5
Application	Don_Moore DON Moore Mydns 0.7 DON Moore Mydns 0.10.0 DON Moore Mydns 0.8 DON Moore Mydns 0.9 DON Moore Mydns 0.6	5
Application	Pliant Pliant Pliant DNS Server *	1
Application	Team_Johnlong Team Johnlong Raidendnsd *	1
Hardware	Axis Axis 2120 Network Camera 2.31 Axis 2120 Network Camera 2.32 Axis 2120 Network Camera 2.34 Axis 2120 Network Camera 2.30 Axis 2120 Network Camera 2.12 Axis 2120 Network Camera 2.41 Axis 2120 Network Camera 2.40 Axis 2110 Network Camera 2.32 Axis 2110 Network Camera 2.41 Axis 2110 Network Camera 2.12 Axis 2110 Network Camera 2.34 Axis 2110 Network Camera 2.30 Axis 2110 Network Camera 2.31 Axis 2110 Network Camera 2.40 Axis 2100 Network Camera 2.12 Axis 2100 Network Camera 2.01 Axis 2100 Network Camera 2.41 Axis 2100 Network Camera 2.03 Axis 2100 Network Camera 2.31 Axis 2100 Network Camera 2.30 Axis 2100 Network Camera 2.33 Axis 2100 Network Camera 2.0 Axis 2100 Network Camera 2.40 Axis 2100 Network Camera 2.32 Axis 2100 Network Camera 2.02 Axis 2100 Network Camera 2.34 Axis 2400 Video Server 3.12 Axis 2400 Video Server 3.11 Axis 2420 Network Camera 2.33 Axis 2420 Network Camera 2.12 Axis 2420 Network Camera 2.30 Axis 2420 Network Camera 2.32 Axis 2420 Network Camera 2.40 Axis 2420 Network Camera 2.41 Axis 2420 Network Camera 2.31 Axis 2420 Network Camera 2.34 Axis 2460 Network DVR 3.12 Axis 2401 Video Server 3.12	38

Nessus

NASL family	DNS
NASL id	DNS_RESPONSE_FLOOD.NASL
description	The remote DNS server is vulnerable to a denial of service attack because it replies to DNS responses. An attacker could exploit this vulnerability by spoofing a DNS packet so that it appears to come from 127.0.0.1 and make the remote DNS server enter into an infinite loop, therefore denying service to legitimate users.
last seen	2020-06-01
modified	2020-06-02
plugin id	15753
published	2004-11-18
reporter	This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15753
title	Multiple Vendor DNS Response Flooding Denial Of Service
code	# # (C) Tenable Network Security, Inc. # # Changes by Tenable: # - Plugin entirely rewritten (2010/05/28) # include("compat.inc"); if(description) { script_id(15753); script_version("1.22"); script_cvs_date("Date: 2018/07/10 14:27:31"); script_cve_id("CVE-2004-0789"); script_bugtraq_id(11642); script_name(english:"Multiple Vendor DNS Response Flooding Denial Of Service"); script_summary(english:"Send a DNS answer to a DNS server"); script_set_attribute(attribute:"synopsis", value: "The remote DNS server is vulnerable to a denial of service attack."); script_set_attribute(attribute:"description", value: "The remote DNS server is vulnerable to a denial of service attack because it replies to DNS responses. An attacker could exploit this vulnerability by spoofing a DNS packet so that it appears to come from 127.0.0.1 and make the remote DNS server enter into an infinite loop, therefore denying service to legitimate users."); script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?a04dcb96"); script_set_attribute(attribute:"solution", value: "Contact the vendor for an appropriate upgrade."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/11/09"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english: "DNS"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_require_keys("DNS/udp/53"); script_dependencies("dns_server.nasl"); exit(0); } # # The script code starts here # include("dns_func.inc"); include("dump.inc"); if ( islocalhost() ) exit(0, "The target is localhost."); if (! get_kb_item("DNS/udp/53") \|\| ! get_udp_port_state(53) ) exit(0, "UDP port 53 is closed." ); # Request www.google.com req["transaction_id"] = rand() % 65535; req["flags"] = 0x0100; req["q"] = 1; packet = mkdns(dns:req, query:mk_query(txt:dns_str_to_query_txt("www.google.com."), type:0x0010, class:0x0001)); soc = open_sock_udp (53); if (!soc) exit(1, "Could not open a socket to UDP:53"); send(socket:soc, data:packet); r = recv(socket:soc, length:4096); if ( isnull(r) ) { close(soc); exit(1, "The remote DNS server did not reply"); } if ( ( ord(r[2]) & 0x80 ) == 0 ) { close(soc); exit(1, "Unexpected DNS answer."); } # New socket close(soc); soc = open_sock_udp (53); if (!soc) exit(1, "Could not re-open a socket to UDP:53"); # Send the reply again orig_response = r; send(socket:soc, data:r); r = recv(socket:soc, length:4096); close(soc); if ( r && ( ord(r[2]) & 0x80 ) ) { report = '\nNessus sent the following response data :\n\n' + hexdump(ddata:orig_response) + # hexdump() already has a trailing newline '\nAnd the DNS server replied with the following response :\n\n' + hexdump(ddata:r); # hexdump() already has a trailing newline security_warning(port:53, proto:"udp", extra:report); } else exit(0, "The remote DNS server is not vulnerable");

Vulnerabilities > CVE-2004-0789 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2004-0789"}]}

Summary

Vulnerable Configurations

Nessus

References

Vulnerabilities > CVE-2004-0789