Vulnerabilities > CVE-1999-0103
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL network
low complexity
nessus
metasploit
Summary
Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm.
Metasploit
| description | Chargen is a debugging and measurement tool and a character generator service. A character generator service simply sends data without regard to the input. Chargen is susceptible to spoofing the source of transmissions as well as use in a reflection attack vector. The misuse of the testing features of the Chargen service may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic. |
| id | MSF:AUXILIARY/SCANNER/CHARGEN/CHARGEN_PROBE |
| last seen | 2020-01-10 |
| modified | 2019-03-05 |
| published | 2013-11-23 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/chargen/chargen_probe.rb |
| title | Chargen Probe Utility |
Nessus
NASL family Service detection NASL id QUOTE.NASL description A server listens for TCP connections on TCP port 17. Once a connection is established a short message is sent out the connection (and any data received is thrown away). The service closes the connection after sending the quote. Another quote of the day service is defined as a datagram based application on UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is last seen 2020-06-01 modified 2020-06-02 plugin id 10198 published 1999-11-30 reporter This script is Copyright (C) 1999-2019 Mathieu Perrin source https://www.tenable.com/plugins/nessus/10198 title Quote of the Day (QOTD) Service Detection code # # This script was written by Mathieu Perrin <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title (9/17/09) # - Changed family (10/8/09) # - Changed CVSS score/risk factor (09/24/19) include("compat.inc"); if(description) { script_id(10198); script_version ("1.29"); script_cvs_date("Date: 2019/10/04 16:48:26"); script_cve_id("CVE-1999-0103"); script_name(english:"Quote of the Day (QOTD) Service Detection"); script_set_attribute(attribute:"synopsis", value: "The quote service (qotd) is running on this host." ); script_set_attribute(attribute:"description", value: "A server listens for TCP connections on TCP port 17. Once a connection is established a short message is sent out the connection (and any data received is thrown away). The service closes the connection after sending the quote. Another quote of the day service is defined as a datagram based application on UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is 'pingpong' which IP spoofs a packet between two machines running qotd. This will cause them to spew characters at each other, slowing the machines down and saturating the network." ); script_set_attribute(attribute:"solution", value: "- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry keys to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0103"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/11/30"); script_set_attribute(attribute:"vuln_publication_date", value: "1996/02/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for the presence of qotd"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 1999-2019 Mathieu Perrin"); script_family(english:"Service detection"); script_dependencie("find_service1.nasl", "find_service2.nasl"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); if(get_udp_port_state(17)) { udpsoc = open_sock_udp(17); if ( ! udpsoc ) exit(0); send(socket:udpsoc, data:'\r\n'); b = recv(socket:udpsoc, length:1024); if(b) { b = chomp(b); if (report_verbosity > 1 && strlen(b) > 0) security_warning(port:17, protocol: "udp", extra: '\nThe service sent :\n\n', b, '\n'); else security_warning(port:17, protocol:"udp"); register_service(port:17, ipproto:"udp", proto:"qotd"); } close(udpsoc); } if(get_port_state(17)) { p = known_service(port:17); # May fork if(!p || p == "qotd") { soc = open_sock_tcp(17); if(soc) { a = recv_line(socket:soc, length:1024); if(a) { a = chomp(a); if (report_verbosity > 1 && strlen(a) > 0) security_warning(port:17, extra: '\nThe service sent :\n\n', a, '\n'); else security_warning(17); if (!p) register_service(port:17, ipproto:"tcp", proto:"qotd"); } close(soc); } } }NASL family Denial of Service NASL id CHARGEN.NASL description When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. The purpose of this service was to mostly test the TCP/IP protocol by itself, to make sure that all the packets were arriving at their destination unaltered. It is unused these days, so it is suggested you disable it, as an attacker may use it to set up an attack against this host, or against a third-party host using this host as a relay. An easy attack is last seen 2020-06-01 modified 2020-06-02 plugin id 10043 published 1999-11-29 reporter This script is Copyright (C) 1999-2018 Mathieu Perrin source https://www.tenable.com/plugins/nessus/10043 title Chargen UDP Service Remote DoS code # # This script was written by Mathieu Perrin <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, family change (9/17/09) # - Minor description touch-ups (9/14/10) include("compat.inc"); if(description) { script_id(10043); script_version ("1.40"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-1999-0103"); script_name(english:"Chargen UDP Service Remote DoS"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a 'chargen' service." ); script_set_attribute(attribute:"description", value: "When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. The purpose of this service was to mostly test the TCP/IP protocol by itself, to make sure that all the packets were arriving at their destination unaltered. It is unused these days, so it is suggested you disable it, as an attacker may use it to set up an attack against this host, or against a third-party host using this host as a relay. An easy attack is 'ping-pong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f0dbdf05" ); script_set_attribute(attribute:"solution", value: "- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry keys to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Chargen Probe Utility'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/11/29"); script_set_attribute(attribute:"vuln_publication_date", value: "1996/02/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for the presence of chargen"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 1999-2020 Mathieu Perrin"); script_family(english:"Denial of Service"); script_dependencie("find_service1.nasl"); exit(0); } # # The script code starts here # include("misc_func.inc"); if(get_udp_port_state(19)) { udpsoc = open_sock_udp(19); if ( ! udpsoc ) exit(0); data = string("\r\n"); send(socket:udpsoc, data:data); b = recv(socket:udpsoc, length:1024); if(strlen(b) > 255)security_warning(port:19,protocol:"udp"); close(udpsoc); } if(get_port_state(19)) { p = known_service(port:19); # May fork if(!p || p == "chargen") { soc = open_sock_tcp(19); if(soc) { a = recv(socket:soc, length:255, min:255); if(strlen(a) > 255)security_warning(19); close(soc); } } }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E3F64457CCCD11E2AF76206A8A720317.NASL description No advisory has been released yet. schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. [CVE-2002-2443]. last seen 2020-06-01 modified 2020-06-02 plugin id 66777 published 2013-06-04 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66777 title FreeBSD : krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] (e3f64457-cccd-11e2-af76-206a8a720317) NASL family Solaris Local Security Checks NASL id SOLARIS11_KERBEROS_20130924.NASL description The remote Solaris system is missing necessary patches to address security updates : - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443) - The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request. (CVE-2012-1016) - The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request. (CVE-2013-1415) last seen 2020-06-01 modified 2020-06-02 plugin id 80652 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80652 title Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of) NASL family Service detection NASL id ECHO.NASL description The remote host is running the last seen 2020-06-01 modified 2020-06-02 plugin id 10061 published 1999-06-22 reporter This script is Copyright (C) 1999-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10061 title Echo Service Detection