Vulnerabilities > CVE-1999-1196 - Denial of Service vulnerability in Hummingbird Exceed 5.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
hummingbird
nessus
NVD
Published: 1999-04-07
Updated: 2008-09-05

Summary

Hummingbird Exceed X version 5 allows remote attackers to cause a denial of service via malformed data to port 6000. Upgrade to a non-vulnerable version of Exceed (Hummingbird Exceed 6.0.1 Hummingbird Exceed 6.0.2 Hummingbird Exceed 6.1)

Vulnerable Configurations

Part Description Count
Application
Hummingbird
1

Nessus

NASL familyDenial of Service
NASL idRANDOM_CRAP_DOS.NASL
descriptionIt was possible to crash the remote service by sending it a few kilobytes of random data. An attacker may use this flaw to make this service crash continuously, preventing this service from working properly. It may also be possible to exploit this flaw to execute arbitrary code on this host.
last seen2020-06-01
modified2020-06-02
plugin id17296
published2005-03-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17296
titleNetwork Service Malformed Data Remote DoS
code
#
# (C) Tenable Network Security, Inc.
#

################
# References
################
#
# http://www.securityfocus.com/bid/158/
# Exceed Denial of Service Vulnerability
# CVE-1999-1196


include("compat.inc");

if(description)
{
 script_id(17296);
 script_version ("1.17");

 script_cve_id("CVE-1999-1196");
 script_bugtraq_id(158);
 
 script_name(english:"Network Service Malformed Data Remote DoS");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote service is vulnerable to a denial of service attack." );
 script_set_attribute(attribute:"description", value:
"It was possible to crash the remote service by sending it a few
kilobytes of random data. 

An attacker may use this flaw to make this service crash continuously,
preventing this service from working properly.  It may also be
possible to exploit this flaw to execute arbitrary code on this host." );
 script_set_attribute(attribute:"solution", value:
"Upgrade your software or contact your vendor and inform it of this 
vulnerability." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "1999/04/27");
 script_cvs_date("Date: 2018/07/25 18:58:03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english: "Sends random data to the remote service");
 
 # Maybe we should set this to ACT_DESTRUCTIVE_ATTACK only?
 script_category(ACT_DENIAL);
 
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english: "Denial of Service");
 script_dependencie("find_service1.nasl", "find_service2.nasl");
 exit(0);
}

#
include("global_settings.inc");
include("misc_func.inc");

beurk = '';
for (i = 0; i < 256; i ++)
 beurk = strcat(beurk, 
  raw_string(rand() % 256), raw_string(rand() % 256),
  raw_string(rand() % 256), raw_string(rand() % 256),
  raw_string(rand() % 256), raw_string(rand() % 256),
  raw_string(rand() % 256), raw_string(rand() % 256));
# 2 KB

ports = get_kb_list("Ports/tcp/*");
if (isnull(ports)) exit(0);

foreach port (keys(ports))
{
 port = int(port - "Ports/tcp/");
 soc = open_sock_tcp(port);
 if (soc)
 {
   send(socket: soc, data: beurk);
   close(soc);

  # Is the service still alive?
  # Retry just in case it is rejecting connections for a while
  for (i = 1; i <= 3; i ++)
  {
    soc = open_sock_tcp(port);
    if (soc) break;
    sleep(i);
  }
  if (! soc)
  {
   if (service_is_dead(port: port, exit: 0) > 0)
     security_hole(port);
  }
  else
   close(soc);
 }
}

References