ID CHARGEN.NASL Type nessus Reporter This script is Copyright (C) 1999-2020 Mathieu Perrin Modified 1999-11-29T00:00:00
Description
When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
The purpose of this service was to mostly test the TCP/IP protocol
by itself, to make sure that all the packets were arriving at their
destination unaltered. It is unused these days, so it is suggested
you disable it, as an attacker may use it to set up an attack against
this host, or against a third-party host using this host as a relay.
An easy attack is 'ping-pong' in which an attacker spoofs a packet between
two machines running chargen. This will cause them to spew characters at
each other, slowing the machines down and saturating the network.
#
# This script was written by Mathieu Perrin <mathieu@tpfh.org>
#
# See the Nessus Scripts License for details
#
# Changes by Tenable:
# - Revised plugin title, family change (9/17/09)
# - Minor description touch-ups (9/14/10)
include("compat.inc");
if(description)
{
script_id(10043);
script_version ("1.40");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_cve_id("CVE-1999-0103");
script_name(english:"Chargen UDP Service Remote DoS");
script_set_attribute(attribute:"synopsis", value:
"The remote host is running a 'chargen' service." );
script_set_attribute(attribute:"description", value:
"When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
The purpose of this service was to mostly test the TCP/IP protocol
by itself, to make sure that all the packets were arriving at their
destination unaltered. It is unused these days, so it is suggested
you disable it, as an attacker may use it to set up an attack against
this host, or against a third-party host using this host as a relay.
An easy attack is 'ping-pong' in which an attacker spoofs a packet between
two machines running chargen. This will cause them to spew characters at
each other, slowing the machines down and saturating the network." );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f0dbdf05" );
script_set_attribute(attribute:"solution", value:
"- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Chargen Probe Utility');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "1999/11/29");
script_set_attribute(attribute:"vuln_publication_date", value: "1996/02/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Checks for the presence of chargen");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 1999-2020 Mathieu Perrin");
script_family(english:"Denial of Service");
script_dependencie("find_service1.nasl");
exit(0);
}
#
# The script code starts here
#
include("misc_func.inc");
if(get_udp_port_state(19))
{
udpsoc = open_sock_udp(19);
if ( ! udpsoc ) exit(0);
data = string("\r\n");
send(socket:udpsoc, data:data);
b = recv(socket:udpsoc, length:1024);
if(strlen(b) > 255)security_warning(port:19,protocol:"udp");
close(udpsoc);
}
if(get_port_state(19))
{
p = known_service(port:19); # May fork
if(!p || p == "chargen")
{
soc = open_sock_tcp(19);
if(soc)
{
a = recv(socket:soc, length:255, min:255);
if(strlen(a) > 255)security_warning(19);
close(soc);
}
}
}
{"id": "CHARGEN.NASL", "bulletinFamily": "scanner", "title": "Chargen UDP Service Remote DoS", "description": "When contacted, chargen responds with some random characters (something\nlike all the characters in the alphabet in a row). When contacted via UDP, it\nwill respond with a single UDP packet. When contacted via TCP, it will\ncontinue spewing characters until the client closes the connection.\n\nThe purpose of this service was to mostly test the TCP/IP protocol\nby itself, to make sure that all the packets were arriving at their\ndestination unaltered. It is unused these days, so it is suggested\nyou disable it, as an attacker may use it to set up an attack against\nthis host, or against a third-party host using this host as a relay.\n\nAn easy attack is 'ping-pong' in which an attacker spoofs a packet between\ntwo machines running chargen. This will cause them to spew characters at\neach other, slowing the machines down and saturating the network.", "published": "1999-11-29T00:00:00", "modified": "1999-11-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/10043", "reporter": "This script is Copyright (C) 1999-2020 Mathieu Perrin", "references": ["http://www.nessus.org/u?f0dbdf05"], "cvelist": ["CVE-1999-0103"], "type": "nessus", "lastseen": "2020-09-14T13:24:33", "edition": 18, "viewCount": 5145, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0103"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108029", "OPENVAS:1361412562310108030", "OPENVAS:136141256231010198", "OPENVAS:136141256231010043"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/CHARGEN/CHARGEN_PROBE"]}, {"type": "nessus", "idList": ["QUOTE.NASL", "SOLARIS11_KERBEROS_20130924.NASL", "FREEBSD_PKG_E3F64457CCCD11E2AF76206A8A720317.NASL", "ECHO.NASL"]}, {"type": "ics", "idList": ["ICSMA-18-233-01"]}, {"type": "osvdb", "idList": ["OSVDB:150"]}], "modified": "2020-09-14T13:24:33", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-09-14T13:24:33", "rev": 2}, "vulnersScore": 5.0}, "sourceData": "#\n# This script was written by Mathieu Perrin <mathieu@tpfh.org>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Revised plugin title, family change (9/17/09)\n# - Minor description touch-ups (9/14/10)\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10043);\n script_version (\"1.40\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0103\");\n\n script_name(english:\"Chargen UDP Service Remote DoS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a 'chargen' service.\" );\n script_set_attribute(attribute:\"description\", value:\n\"When contacted, chargen responds with some random characters (something\nlike all the characters in the alphabet in a row). When contacted via UDP, it\nwill respond with a single UDP packet. When contacted via TCP, it will\ncontinue spewing characters until the client closes the connection.\n\nThe purpose of this service was to mostly test the TCP/IP protocol\nby itself, to make sure that all the packets were arriving at their\ndestination unaltered. It is unused these days, so it is suggested\nyou disable it, as an attacker may use it to set up an attack against\nthis host, or against a third-party host using this host as a relay.\n\nAn easy attack is 'ping-pong' in which an attacker spoofs a packet between\ntwo machines running chargen. This will cause them to spew characters at\neach other, slowing the machines down and saturating the network.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0dbdf05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf\n and restart the inetd process\n\n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpChargen\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpChargen\n\n Then launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n\nTo restart the service.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chargen Probe Utility');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/11/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1996/02/08\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"Checks for the presence of chargen\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 1999-2020 Mathieu Perrin\");\n script_family(english:\"Denial of Service\");\n script_dependencie(\"find_service1.nasl\");\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"misc_func.inc\");\n\n\nif(get_udp_port_state(19))\n{\t\t \n udpsoc = open_sock_udp(19);\n if ( ! udpsoc ) exit(0);\n data = string(\"\\r\\n\");\n send(socket:udpsoc, data:data);\n b = recv(socket:udpsoc, length:1024);\n if(strlen(b) > 255)security_warning(port:19,protocol:\"udp\");\n \n close(udpsoc);\n}\n\nif(get_port_state(19))\n{\n p = known_service(port:19);\t# May fork\n if(!p || p == \"chargen\")\n {\n soc = open_sock_tcp(19);\n if(soc)\n {\n a = recv(socket:soc, length:255, min:255);\n if(strlen(a) > 255)security_warning(19);\n close(soc);\n }\n }\n}\n\n\t\t\n", "naslFamily": "Denial of Service", "pluginID": "10043", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:19:00", "description": "Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.", "edition": 3, "cvss3": {}, "published": "1996-02-08T05:00:00", "title": "CVE-1999-0103", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0103"], "modified": "2018-08-22T18:29:00", "cpe": [], "id": "CVE-1999-0103", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}], "metasploit": [{"lastseen": "2020-08-07T02:18:35", "description": "Chargen is a debugging and measurement tool and a character generator service. A character generator service simply sends data without regard to the input. Chargen is susceptible to spoofing the source of transmissions as well as use in a reflection attack vector. The misuse of the testing features of the Chargen service may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic.\n", "published": "2013-11-23T16:17:24", "type": "metasploit", "title": "Chargen Probe Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0103"], "modified": "2019-03-05T19:04:49", "id": "MSF:AUXILIARY/SCANNER/CHARGEN/CHARGEN_PROBE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Capture\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::Udp\n include Msf::Auxiliary::DRDoS\n include Msf::Auxiliary::UDPScanner\n\n def initialize\n super(\n 'Name' => 'Chargen Probe Utility',\n 'Description' => %q{\n Chargen is a debugging and measurement tool and a character\n generator service. A character generator service simply sends\n data without regard to the input.\n Chargen is susceptible to spoofing the source of transmissions\n as well as use in a reflection attack vector. The misuse of the\n testing features of the Chargen service may allow attackers to\n craft malicious network payloads and reflect them by spoofing\n the transmission source to effectively direct it to a target.\n This can result in traffic loops and service degradation with\n large amounts of network traffic.\n },\n 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.\n [ 'URL', 'http://tools.ietf.org/html/rfc864' ]\n ],\n 'DisclosureDate' => 'Feb 08 1996')\n\n register_options([\n Opt::RPORT(19)\n ])\n end\n\n def run_host(rhost)\n data = Rex::Text.rand_text_alpha_lower(1)\n if spoofed?\n scanner_spoof_send(data, rhost, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])\n else\n begin\n connect_udp\n udp_sock.write(data)\n r = udp_sock.recvfrom(65535, 0.1)\n\n if r and r[1]\n vprint_status(\"#{rhost}:#{rport} - Response: #{r[0].to_s}\")\n res = r[0].to_s.strip\n if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))\n print_good(\"#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)\")\n report_service(:host => rhost, :port => rport, :proto => \"udp\", :name => \"chargen\", :info => res.length)\n end\n end\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused\n nil\n ensure\n disconnect_udp if self.udp_sock\n end\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/chargen/chargen_probe.rb"}], "openvas": [{"lastseen": "2019-05-29T18:31:56", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103"], "description": "The remote host is running a ", "modified": "2019-04-11T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010043", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010043", "type": "openvas", "title": "Check for Chargen Service (TCP)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: chargen.nasl 4827 2016-12-21 10:31:05Z cfi $\n#\n# Check for Chargen Service (TCP)\n#\n# Authors:\n# Mathieu Perrin <mathieu@tpfh.org>\n#\n# Copyright:\n# Copyright (C) 1999 Mathieu Perrin\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10043\");\n script_version(\"2019-04-11T14:06:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-11 14:06:24 +0000 (Thu, 11 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n #Remark: NIST don't see \"configuration issues\" as software flaws so this CVSS has a value of 0.0.\n #However we still should report such a configuration issue with a criticality so this has been commented\n #out to avoid that the automatic CVSS score correction is setting the CVSS back to 0.0\n # script_cve_id(\"CVE-1999-0103\");\n script_name(\"Check for Chargen Service (TCP)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 1999 Mathieu Perrin\");\n script_family(\"Useless services\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(19);\n\n script_xref(name:\"URL\", value:\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103\");\n\n script_tag(name:\"summary\", value:\"The remote host is running a 'chargen' service.\n\n Description :\n\n When contacted, chargen responds with some random characters (something\n like all the characters in the alphabet in a row). When contacted via TCP,\n it will continue spewing characters until the client closes the connection.\n\n The purpose of this service was to mostly to test the TCP/IP protocol\n by itself, to make sure that all the packets were arriving at their\n destination unaltered. It is unused these days, so it is suggested\n you disable it, as an attacker may use it to set up an attack against\n this host, or against a third party host using this host as a relay.\");\n\n script_tag(name:\"solution\", value:\"- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf\n and restart the inetd process\n\n - Under Windows systems, set the following registry keys to 0 :\n\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpChargen\n\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpChargen\n\n Then launch cmd.exe and type :\n\n net stop simptcp\n\n net start simptcp\n\n To restart the service.\");\n\n script_tag(name:\"impact\", value:\"An easy attack is 'ping-pong' in which an attacker spoofs a packet between\n two machines running chargen. This will cause them to spew characters at\n each other, slowing the machines down and saturating the network.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"pingpong.inc\");\n\nport = 19;\n\nif( get_port_state( port ) ) {\n\n p = known_service( port:port );\n if( ! p || p == \"chargen\" ) {\n soc = open_sock_tcp( port );\n if( soc ) {\n a = recv( socket:soc, length:255, min:255 );\n if( strlen( a ) > 255 )\n security_message( port:port );\n close( soc );\n }\n }\n}\n\nexit( 0 );", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:32:01", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103"], "description": "The quote service (qotd) is running on this host.\n\n Description :\n\n A server listens for TCP connections on TCP port 17. Once a connection\n is established a short message is sent out the connection (and any\n data received is thrown away). The service closes the connection\n after sending the quote.", "modified": "2019-04-11T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010198", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010198", "type": "openvas", "title": "Check for Quote of the day Service (TCP)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: quote.nasl 4827 2016-12-21 10:31:05Z cfi $\n#\n# Check for Quote of the day Service (TCP)\n#\n# Authors:\n# Mathieu Perrin <mathieu@tpfh.org>\n#\n# Copyright:\n# Copyright (C) 1999 Mathieu Perrin\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10198\");\n script_version(\"2019-04-11T14:06:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-11 14:06:24 +0000 (Thu, 11 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n #Remark: NIST don't see \"configuration issues\" as software flaws so this CVSS has a value of 0.0.\n #However we still should report such a configuration issue with a criticality so this has been commented\n #out to avoid that the automatic CVSS score correction is setting the CVSS back to 0.0\n # script_cve_id(\"CVE-1999-0103\");\n script_name(\"Check for Quote of the day Service (TCP)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 1999 Mathieu Perrin\");\n script_family(\"Useless services\");\n script_dependencies(\"find_service.nasl\", \"find_service2.nasl\");\n script_require_ports(17);\n\n script_xref(name:\"URL\", value:\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103\");\n\n script_tag(name:\"summary\", value:\"The quote service (qotd) is running on this host.\n\n Description :\n\n A server listens for TCP connections on TCP port 17. Once a connection\n is established a short message is sent out the connection (and any\n data received is thrown away). The service closes the connection\n after sending the quote.\");\n\n script_tag(name:\"solution\", value:\"- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf\n and restart the inetd process\n\n - Under Windows systems, set the following registry keys to 0 :\n\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpQotd\n\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpQotd\n\n Then launch cmd.exe and type :\n\n net stop simptcp\n\n net start simptcp\n\n To restart the service.\");\n script_tag(name:\"impact\", value:\"An easy attack is 'pingpong' which IP spoofs a packet between two machines\n running qotd. This will cause them to spew characters at each other,\n slowing the machines down and saturating the network.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\nport = 17;\n\nif( get_port_state( port ) ) {\n\n p = known_service( port:port );\n if( ! p || p == \"qotd\" ) {\n soc = open_sock_tcp( port );\n if( soc ) {\n a = recv_line( socket:soc, length:1024 );\n if( a )\n security_message( port:port );\n close( soc );\n }\n }\n}\n\nexit( 0 );", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:31:55", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103"], "description": "The quote service (qotd) is running on this host.\n\n Description :\n\n A server listens for UDP datagrams on UDP port 17.\n When a datagram is received, an answering datagram is sent containing\n a quote (the data in the received datagram is ignored).", "modified": "2019-03-19T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:1361412562310108029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108029", "type": "openvas", "title": "Check for Quote of the day Service (UDP)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: quote_udp.nasl 14336 2019-03-19 14:53:10Z mmartin $\n#\n# Check for Quote of the day Service (UDP)\n#\n# Authors:\n# Mathieu Perrin <mathieu@tpfh.org>\n#\n# Copyright:\n# Copyright (C) 1999 Mathieu Perrin\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108029\");\n script_version(\"$Revision: 14336 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 15:53:10 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n #Remark: NIST don't see \"configuration issues\" as software flaws so this CVSS has a value of 0.0.\n #However we still should report such a configuration issue with a criticality so this has been commented\n #out to avoid that the automatic CVSS score correction is setting the CVSS back to 0.0\n # script_cve_id(\"CVE-1999-0103\");\n script_name(\"Check for Quote of the day Service (UDP)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 1999 Mathieu Perrin\");\n script_family(\"Useless services\");\n script_require_udp_ports(17);\n\n script_xref(name:\"URL\", value:\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103\");\n\n script_tag(name:\"summary\", value:\"The quote service (qotd) is running on this host.\n\n Description :\n\n A server listens for UDP datagrams on UDP port 17.\n When a datagram is received, an answering datagram is sent containing\n a quote (the data in the received datagram is ignored).\");\n script_tag(name:\"solution\", value:\"- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf\n and restart the inetd process\n\n - Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpQotd\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpQotd\n\n Then launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n\n To restart the service.\");\n script_tag(name:\"impact\", value:\"An easy attack is 'pingpong' which IP spoofs a packet between two machines\n running qotd. This will cause them to spew characters at each other,\n slowing the machines down and saturating the network.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\nport = 17;\n\nif( get_udp_port_state( port ) ) {\n udpsoc = open_sock_udp( port );\n send( socket:udpsoc, data:'\\r\\n' );\n b = recv( socket:udpsoc, length:1024 );\n if( b ) security_message( port:port, protocol:\"udp\" );\n close( udpsoc );\n}\n\nexit( 0 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:31:59", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103"], "description": "The remote host is running a ", "modified": "2019-04-24T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:1361412562310108030", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108030", "type": "openvas", "title": "Check for Chargen Service (UDP)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Check for Chargen Service (UDP)\n#\n# Authors:\n# Mathieu Perrin <mathieu@tpfh.org>\n#\n# Copyright:\n# Copyright (C) 1999 Mathieu Perrin\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108030\");\n script_version(\"2019-04-24T07:26:10+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-24 07:26:10 +0000 (Wed, 24 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n #Remark: NIST don't see \"configuration issues\" as software flaws so this CVSS has a value of 0.0.\n #However we still should report such a configuration issue with a criticality so this has been commented\n #out to avoid that the automatic CVSS score correction is setting the CVSS back to 0.0\n # script_cve_id(\"CVE-1999-0103\");\n script_name(\"Check for Chargen Service (UDP)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 1999 Mathieu Perrin\");\n script_family(\"Useless services\");\n script_require_udp_ports(19);\n\n script_xref(name:\"URL\", value:\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103\");\n\n script_tag(name:\"summary\", value:\"The remote host is running a 'chargen' service.\");\n\n script_tag(name:\"insight\", value:\"When contacted, chargen responds with some random characters\n (something like all the characters in the alphabet in a row). When contacted via UDP, it\n will respond with a single UDP packet.\n\n The purpose of this service was to mostly to test the TCP/IP protocol by itself, to make sure that\n all the packets were arriving at their destination unaltered. It is unused these days, so it is\n suggested you disable it, as an attacker may use it to set up an attack against this host, or\n against a third party host using this host as a relay.\");\n\n script_tag(name:\"solution\", value:\"- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf\n and restart the inetd process\n\n - Under Windows systems, set the following registry keys to 0 :\n\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpChargen\n\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpChargen\n\n Then launch cmd.exe and type :\n\n net stop simptcp\n\n net start simptcp\n\n To restart the service.\");\n\n script_tag(name:\"impact\", value:\"An easy attack is 'ping-pong' in which an attacker spoofs a packet between\n two machines running chargen. This will cause them to spew characters at each other, slowing the machines\n down and saturating the network.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"pingpong.inc\");\n\nport = 19;\nif( ! get_udp_port_state( port ) )\n exit( 0 );\n\nsoc = open_sock_udp( port );\nif( ! soc )\n exit( 0 );\n\ndata = string( \"\\r\\n\" );\nsend( socket:soc, data:data );\nb = recv( socket:soc, length:1024 );\nclose( soc );\n\nif( strlen( b ) > 255 ) {\n security_message( port:port, protocol:\"udp\" );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-03-01T05:23:02", "description": "A server listens for TCP connections on TCP port 17. Once a connection \nis established a short message is sent out the connection (and any \ndata received is thrown away). The service closes the connection \nafter sending the quote.\n\nAnother quote of the day service is defined as a datagram based\napplication on UDP. A server listens for UDP datagrams on UDP port 17.\nWhen a datagram is received, an answering datagram is sent containing \na quote (the data in the received datagram is ignored).\n\nAn easy attack is 'pingpong' which IP spoofs a packet between two machines\nrunning qotd. This will cause them to spew characters at each other,\nslowing the machines down and saturating the network.", "edition": 25, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "1999-11-30T00:00:00", "title": "Quote of the Day (QOTD) Service Detection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "QUOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/10198", "sourceData": "#\n# This script was written by Mathieu Perrin <mathieu@tpfh.org>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Revised plugin title (9/17/09)\n# - Changed family (10/8/09)\n# - Changed CVSS score/risk factor (09/24/19)\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10198);\n script_version (\"1.29\");\n script_cvs_date(\"Date: 2019/10/04 16:48:26\");\n\n script_cve_id(\"CVE-1999-0103\");\n\n script_name(english:\"Quote of the Day (QOTD) Service Detection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The quote service (qotd) is running on this host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"A server listens for TCP connections on TCP port 17. Once a connection \nis established a short message is sent out the connection (and any \ndata received is thrown away). The service closes the connection \nafter sending the quote.\n\nAnother quote of the day service is defined as a datagram based\napplication on UDP. A server listens for UDP datagrams on UDP port 17.\nWhen a datagram is received, an answering datagram is sent containing \na quote (the data in the received datagram is ignored).\n\nAn easy attack is 'pingpong' which IP spoofs a packet between two machines\nrunning qotd. This will cause them to spew characters at each other,\nslowing the machines down and saturating the network.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpQotd\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpQotd\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0103\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/11/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1996/02/08\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_summary(english:\"Checks for the presence of qotd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 1999-2019 Mathieu Perrin\");\n script_family(english:\"Service detection\");\n script_dependencie(\"find_service1.nasl\", \"find_service2.nasl\");\n exit(0);\n}\n \n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif(get_udp_port_state(17))\n{\t\t \n udpsoc = open_sock_udp(17);\n if ( ! udpsoc ) exit(0);\n send(socket:udpsoc, data:'\\r\\n');\n b = recv(socket:udpsoc, length:1024);\n if(b)\n {\n b = chomp(b);\n if (report_verbosity > 1 && strlen(b) > 0)\n security_warning(port:17, protocol: \"udp\", extra: '\\nThe service sent :\\n\\n', b, '\\n');\n else\n security_warning(port:17, protocol:\"udp\");\n register_service(port:17, ipproto:\"udp\", proto:\"qotd\");\n }\n close(udpsoc);\n}\n\nif(get_port_state(17))\n{\n p = known_service(port:17);\t# May fork\n if(!p || p == \"qotd\")\n {\n soc = open_sock_tcp(17);\n if(soc)\n {\n a = recv_line(socket:soc, length:1024);\n if(a)\n {\n a = chomp(a);\n if (report_verbosity > 1 && strlen(a) > 0)\n security_warning(port:17, extra: '\\nThe service sent :\\n\\n', a, '\\n');\n else\n security_warning(17);\n if (!p) register_service(port:17, ipproto:\"tcp\", proto:\"qotd\");\n }\n close(soc);\n }\n }\n}\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:50:58", "description": "No advisory has been released yet.\n\nschpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5)\nbefore 1.11.3 does not properly validate UDP packets before sending\nresponses, which allows remote attackers to cause a denial of service\n(CPU and bandwidth consumption) via a forged packet that triggers a\ncommunication loop, as demonstrated by krb_pingpong.nasl, a related\nissue to CVE-1999-0103. [CVE-2002-2443].", "edition": 21, "published": "2013-06-04T00:00:00", "title": "FreeBSD : krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] (e3f64457-cccd-11e2-af76-206a8a720317)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103", "CVE-2002-2443"], "modified": "2013-06-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:krb5", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_E3F64457CCCD11E2AF76206A8A720317.NASL", "href": "https://www.tenable.com/plugins/nessus/66777", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66777);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2002-2443\");\n\n script_name(english:\"FreeBSD : krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] (e3f64457-cccd-11e2-af76-206a8a720317)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"No advisory has been released yet.\n\nschpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5)\nbefore 1.11.3 does not properly validate UDP packets before sending\nresponses, which allows remote attackers to cause a denial of service\n(CPU and bandwidth consumption) via a forged packet that triggers a\ncommunication loop, as demonstrated by krb_pingpong.nasl, a related\nissue to CVE-1999-0103. [CVE-2002-2443].\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://web.mit.edu/kerberos/www/krb5-1.11/\"\n );\n # https://vuxml.freebsd.org/freebsd/e3f64457-cccd-11e2-af76-206a8a720317.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c26750fe\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"krb5<=1.11.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-14T13:53:56", "description": "The remote host is running the 'echo' service. This service \nechoes any data which is sent to it.\n\nThis service is unused these days, so it is strongly advised that\nyou disable it, as it may be used by attackers to set up denial of\nservices attacks against this host.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "1999-06-22T00:00:00", "title": "Echo Service Detection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0103", "CVE-1999-0635"], "modified": "1999-06-22T00:00:00", "cpe": [], "id": "ECHO.NASL", "href": "https://www.tenable.com/plugins/nessus/10061", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10061);\n script_version (\"1.46\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n script_cve_id(\"CVE-1999-0103\", \"CVE-1999-0635\");\n\n script_name(english:\"Echo Service Detection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An echo service is running on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the 'echo' service. This service \nechoes any data which is sent to it.\n\nThis service is unused these days, so it is strongly advised that\nyou disable it, as it may be used by attackers to set up denial of\nservices attacks against this host.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Below are some examples of how to disable the echo service on some common\nplatforms, however many services can exhibit this behavior and the list below\nis not exhaustive. \n\nConsult vendor documentation for the service exhibiting the echo behavior\nfor more information.\n\n- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf\n and restart the inetd process.\n\n- Under Ubuntu systems, comment out the 'echo' line in \n /etc/systemd/system.conf and retart the systemd service.\n\n- Under Windows systems, set the following registry key to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpEcho\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpEcho\n\nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n\nTo restart the service.\" );\n\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0103\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/06/22\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_summary(english:\"Checks if the 'echo' port is open\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 1999-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Service detection\");\n script_dependencie(\"find_service1.nasl\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\npattern = \"Harmless Nessus echo test\";\n\nport = get_kb_item(\"Services/echo\");\nif(!port)port = 7;\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n data = string(pattern, \"\\r\\n\");\n send(socket:soc, data:data);\n res = recv_line(socket:soc, length:1024);\n if(data == res)\n {\n security_report_v4(port:port, severity:SECURITY_WARNING);\n register_service(port:port, proto:\"echo\");\n }\n close(soc);\n }\n}\n\nif(get_udp_port_state(port))\n{\n soc = open_sock_udp(port);\n if(soc)\n {\n data = string(pattern, \"\\r\\n\");\n send(socket:soc, data:data);\n res2 = recv(socket:soc, length:1024);\n if(res2)\n {\n if(data == res2)security_report_v4(port:port, proto:\"udp\", severity:SECURITY_WARNING);\n }\n close(soc);\n }\n}\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:01:01", "description": "The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - schpw.c in the kpasswd service in kadmind in MIT\n Kerberos 5 (aka krb5) before 1.11.3 does not properly\n validate UDP packets before sending responses, which\n allows remote attackers to cause a denial of service\n (CPU and bandwidth consumption) via a forged packet that\n triggers a communication loop, as demonstrated by\n krb_pingpong.nasl, a related issue to CVE-1999-0103.\n (CVE-2002-2443)\n\n - The pkinit_server_return_padata function in\n plugins/preauth/pkinit/pkinit_srv.c in the PKINIT\n implementation in the Key Distribution Center (KDC) in\n MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find\n an agility KDF identifier in inappropriate\n circumstances, which allows remote attackers to cause a\n denial of service (NULL pointer dereference and daemon\n crash) via a crafted Draft 9 request. (CVE-2012-1016)\n\n - The pkinit_check_kdc_pkid function in\n plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the\n PKINIT implementation in the Key Distribution Center\n (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and\n 1.11.x before 1.11.1 does not properly handle errors\n during extraction of fields from an X.509 certificate,\n which allows remote attackers to cause a denial of\n service (NULL pointer dereference and daemon crash) via\n a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.\n (CVE-2013-1415)", "edition": 24, "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1016", "CVE-1999-0103", "CVE-2013-1415", "CVE-2002-2443"], "modified": "2015-01-19T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:kerberos"], "id": "SOLARIS11_KERBEROS_20130924.NASL", "href": "https://www.tenable.com/plugins/nessus/80652", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80652);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2002-2443\", \"CVE-2012-1016\", \"CVE-2013-1415\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - schpw.c in the kpasswd service in kadmind in MIT\n Kerberos 5 (aka krb5) before 1.11.3 does not properly\n validate UDP packets before sending responses, which\n allows remote attackers to cause a denial of service\n (CPU and bandwidth consumption) via a forged packet that\n triggers a communication loop, as demonstrated by\n krb_pingpong.nasl, a related issue to CVE-1999-0103.\n (CVE-2002-2443)\n\n - The pkinit_server_return_padata function in\n plugins/preauth/pkinit/pkinit_srv.c in the PKINIT\n implementation in the Key Distribution Center (KDC) in\n MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find\n an agility KDF identifier in inappropriate\n circumstances, which allows remote attackers to cause a\n denial of service (NULL pointer dereference and daemon\n crash) via a crafted Draft 9 request. (CVE-2012-1016)\n\n - The pkinit_check_kdc_pkid function in\n plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the\n PKINIT implementation in the Key Distribution Center\n (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and\n 1.11.x before 1.11.1 does not properly handle errors\n during extraction of fields from an X.509 certificate,\n which allows remote attackers to cause a denial of\n service (NULL pointer dereference and daemon crash) via\n a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.\n (CVE-2013-1415)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blogs.oracle.com/sunsecurity/cve-2002-2443-denial-of-service-vulnerability-in-kerberos\"\n );\n # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-the-pkinit-implementation-in-the-key-distribution-center-kdc\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?45d72a61\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.1.10.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:kerberos\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^kerberos-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kerberos\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.10.0.5.0\", sru:\"SRU 11.1.10.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : kerberos\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_hole(port:0, extra:error_extra);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"kerberos\");\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "ics": [{"lastseen": "2021-02-27T19:51:20", "bulletinFamily": "info", "cvelist": ["CVE-1999-0103"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 5.7**\n\n * **ATTENTION: **Low skill level to exploit\n * **Vendor: **Philips\n * **Equipment: **Philips IntelliVue Information Center iX\n * **Vulnerability: **Resource Exhaustion\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the updated advisory titled ICSMA-18-233-01 Philips IntelliVue Information Center iX (Update A) that was published August 30, 2018, on the NCCIC/ICS-CERT website.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability may result in a denial of service, the operating system will become unresponsive due to the network attack, which will affect the applications ability to meet the intended use.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of Philips IntelliVue Information Center iX, real-time central monitoring system, are affected:\n\n * Philips IntelliVue Information Center iX Versions B.02.\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [UNCONTROLLED RESOURCE CONSUMPTION ('RESOURCE EXHAUSTION') CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)\n\nAn attacker may compromise the device\u2019s availability by performing multiple initial UDP requests.\n\n[CVE-1999-0103](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103>) has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Netherlands\n\n### 4.4 RESEARCHER\n\nA user reported this vulnerability to Philips, who then reported it to NCCIC.\n\n## 5\\. MITIGATIONS\n\nPhilips has identified and put in place mitigations to reduce the risk of exploitation of this vulnerability. In order for users of affected devices to mitigate exposure to this vulnerability, Philips recommends following the device\u2019s labeling, including instructions for use and service guide(s), which provide compensating controls.\n\n**\\--------- Begin Update B Part 1 of 1 --------**\n\nPhilips will provide the remediation in the form of a patch by the end of November 2018 for all PIIC iX B.02 users.\n\n**\\--------- End Update B Part 1 of 1 --------**\n\nPhilips\u2019 contact information is available at the following location:\n\n<http://www.usa.philips.com/healthcare/solutions/customer-service-solutions>\n\nThe Philips advisory is available at the following URL:\n\n<http://www.philips.com/productsecurity>\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. This vulnerability is exploitable from within the same local device subnet.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSMA-18-233-01>); we'd welcome your feedback.\n", "modified": "2018-10-11T00:00:00", "published": "2018-08-21T00:00:00", "id": "ICSMA-18-233-01", "href": "https://www.us-cert.gov/ics/advisories/ICSMA-18-233-01", "type": "ics", "title": "Philips IntelliVue Information Center iX (Update B)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0103", "CVE-1999-0635"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nSnort Signature ID: 271\nISS X-Force ID: 259\nISS X-Force ID: 44\nISS X-Force ID: 36\n[CVE-1999-0103](https://vulners.com/cve/CVE-1999-0103)\n[CVE-1999-0635](https://vulners.com/cve/CVE-1999-0635)\nCERT: CA-1996-01\n", "modified": "1996-02-08T00:00:00", "published": "1996-02-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:150", "id": "OSVDB:150", "type": "osvdb", "title": "Echo / Chargen UDP Service DoS", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
