TCP Sequence Number Approximation Reset Denial of Service Vulnerability

2012-03-0100:00:00

plugins.openvas.org

825

0.003 Low

EPSS

Percentile

64.0%

JSON

The host is running TCP services and is prone to denial of service
vulnerability.

###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_tcp_sequence_approx_dos_vuln.nasl 5912 2017-04-10 09:01:51Z teissa $
#
# TCP Sequence Number Approximation Reset Denial of Service Vulnerability
#
# Authors:
# Sooraj KS <[email protected]>
#
# Copyright:
# Copyright (c) 2012 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_id(902815);
  script_bugtraq_id(10183);
  script_version("$Revision: 5912 $");
  script_cve_id("CVE-2004-0230");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"last_modification", value:"$Date: 2017-04-10 11:01:51 +0200 (Mon, 10 Apr 2017) $");
  script_tag(name:"creation_date", value:"2012-03-01 15:15:15 +0530 (Thu, 01 Mar 2012)");
  script_name("TCP Sequence Number Approximation Reset Denial of Service Vulnerability");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2012 SecPod");
  script_family("Denial of Service");
  script_dependencies("secpod_open_tcp_ports.nasl");
  script_mandatory_keys("TCP/PORTS");

  script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/15886");
  script_xref(name:"URL", value:"http://www.us-cert.gov/cas/techalerts/TA04-111A.html");
  script_xref(name:"URL", value:"http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949");
  script_xref(name:"URL", value:"http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950");
  script_xref(name:"URL", value:"http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006");
  script_xref(name:"URL", value:"http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx");
  script_xref(name:"URL", value:"http://www.microsoft.com/technet/security/bulletin/ms06-064.mspx");
  script_xref(name:"URL", value:"http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html");
  script_xref(name:"URL", value:"http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html");

  tag_summary = "The host is running TCP services and is prone to denial of service
  vulnerability.";

  tag_solution = "Please see the referenced advisories for more information on obtaining
  and applying fixes.";

  tag_insight = "The flaw is triggered when spoofed TCP Reset packets are received by the
  targeted TCP stack and will result in loss of availability for the attacked TCP services.";

  tag_affected = "TCP/IP v4";

  tag_impact = "Successful exploitation will allow remote attackers to guess sequence numbers
  and cause a denial of service to persistent TCP connections by repeatedly injecting a TCP RST packet.";

  tag_vuldetect = "A TCP Reset packet with a different sequence number is sent to
  the target. A previously open connection is then checked to see if the target closed it or not.";

  script_tag(name:"summary", value:tag_summary);
  script_tag(name:"vuldetect", value:tag_vuldetect);
  script_tag(name:"solution", value:tag_solution);
  script_tag(name:"insight", value:tag_insight);
  script_tag(name:"affected", value:tag_affected);
  script_tag(name:"impact", value:tag_impact);

  script_tag(name:"qod_type", value:"remote_banner_unreliable");
  script_exclude_keys("keys/islocalhost","keys/TARGET_IS_IPV6");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

## Variable Initialization
soc = 0;
port = 0;
srcport =0;
filter = "";
ip = NULL;
tcp = NULL;
res = NULL;
flags = NULL;
dstip = NULL;
srcip = NULL;
tcp_seq = NULL;

## Check for IPV6
if(TARGET_IS_IPV6()){
  exit(0);
}

## Check for localhost
if(islocalhost()){
 exit(0);
}

## Get Open TCP Port
port = get_host_open_tcp_port();

## Open TCP Socket
soc = open_sock_tcp(port);
if(!soc){
  exit(0);
}

## Get Source Port
srcport = get_source_port(soc);
if(!srcport){
  exit(0);
}

## Get Source and Destination IP
dstip = get_host_ip();
srcip = this_host();

## Filter for Packets
filter = string("tcp and src ", dstip, " and dst ", srcip, " and dst port ",
                srcport, " and src port ", port);

## Send a character and receive the response
res = send_capture(socket:soc, data:"X", pcap_filter:filter);

if(!res){
  exit(0);
}

## Get acknowledgement number and tcp flags
tcp_seq = get_tcp_element(tcp:res, element:"th_ack");
flags = get_tcp_element(tcp:res, element:"th_flags");

## Check Whether the connection is closed or not
if(!tcp_seq || (flags & TH_FIN) || (flags & TH_RST)) {
  exit(0);
}

## Spoof a TCP RST packet by incrementing sequence number
ip = forge_ip_packet( ip_v   : 4,
                      ip_hl  : 5,
                      ip_tos : 0,
                      ip_len : 20,
                      ip_id  : rand(),
                      ip_p   : IPPROTO_TCP,
                      ip_ttl : 255,
                      ip_off : 0,
                      ip_src : srcip );

## Increment sequence number by 1024
tcp = forge_tcp_packet( ip       : ip,
                        th_ack   : 0,
                        th_dport : port,
                        th_flags : TH_RST,
                        th_seq   : tcp_seq + 1024,
                        th_sport : srcport,
                        th_x2    : 0,
                        th_off   : 5,
                        th_win   : 1024,
                        th_urp   : 0);


## Send the spoofed RST packet
send_packet(tcp, pcap_active:FALSE);

## Send a character and receive the response
res = send_capture(socket:soc, data:"X", pcap_filter:filter);
if(res)
{
  ## Get the flag and confirm the vulnerability
  flags = get_tcp_element(tcp:res, element:"th_flags");

  ## Check for RST flag
  if (flags & TH_RST){
    security_message(port:0); 
  }
}