Vulnerabilities > CVE-2001-0162 - Unspecified vulnerability in Microsoft Windows CE 3.0.9348

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available

Summary

WinCE 3.0.9348 generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1

Exploit-Db

descriptionLinux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability. CVE-1999-0077 ,CVE-2000-0916,CVE-2001-0162,CVE-2001-0163,CVE-2001-0288,CVE-2001-0328...
idEDB-ID:19522
last seen2016-02-02
modified1999-09-27
published1999-09-27
reporterStealth and S. Krahmer
sourcehttps://www.exploit-db.com/download/19522/
titleLinux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability

Nessus

NASL familyGeneral
NASL idTCP_SEQ.NASL
descriptionThe remote host has predictable TCP sequence numbers. An attacker may use this flaw to establish spoofed TCP connections to this host.
last seen2020-06-01
modified2020-06-02
plugin id10443
published2003-03-03
reporterThis script is Copyright (C) 2003-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10443
titleTCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10443);
 script_version("1.31");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id(
  "CVE-1999-0077",
  "CVE-2004-0641",
  "CVE-2001-0162",
  "CVE-2001-0163",
  "CVE-2001-0751",
  "CVE-2001-0288",
  "CVE-2001-1104",
  "CVE-2000-0916"
 );
 script_bugtraq_id(107, 670, 3098, 10881);

 script_name(english:"TCP/IP Predictable ISN (Initial Sequence Number) Generation Weakness");
 script_summary(english:"TCP SEQ");

 script_set_attribute(attribute:"synopsis", value:
"It is possible to predict TCP/IP Initial Sequence Numbers for the
remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host has predictable TCP sequence numbers.

An attacker may use this flaw to establish spoofed TCP connections to
this host.");
 script_set_attribute(attribute:"solution", value:"Contact your vendor for a patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"1995/01/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/03");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2019 Tenable Network Security, Inc.");
 script_family(english:"General");

 script_require_keys("Settings/ParanoidReport");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if ( TARGET_IS_IPV6 ) exit(1, "This check is not implemented for IPv6 hosts.");

MAX_RETRIES = 5;

function probe(port)
{
 local_var flags, sport, ip, tcp, filter, i, rep, seq;

 ip = forge_ip_packet(
        ip_hl   :5,
        ip_v    :4,
        ip_tos  :0,
        ip_len  :20,
        ip_id   :31338,
        ip_off  :0,
        ip_ttl  :64,
        ip_p    :IPPROTO_TCP,
        ip_src  :compat::this_host()
        );

  sport = (rand() % 60000) + 1024;

  tcp = forge_tcp_packet(ip:ip,
                               th_sport: sport,
                               th_dport: port,
                               th_flags:TH_SYN,
                               th_seq: rand(),
                               th_ack: 0,
                               th_x2: 0,
                               th_off: 5,
                               th_win: 8192,
                               th_urp: 0);
 # Note: these ports look backwards because we're capturing the response
 filter = "tcp and src host " + get_host_ip() + " and src port " + port + " and dst port " + sport;
 for ( i = 0 ; i < MAX_RETRIES ; i ++ )
 {
   rep = send_packet(tcp, pcap_active:TRUE, pcap_filter:filter, pcap_timeout:1);
   if ( rep ) break;
 }

 if ( ! rep ) exit(1, "No response to the probe.");

 flags = get_tcp_element(tcp:rep, element:"th_flags");
 if ( flags != (TH_SYN|TH_ACK))
	exit(1, "The server returned an unexpected packet.");
 seq = get_tcp_element(tcp:rep, element:"th_seq");
 return seq;
}

# Get an open port
port = get_host_open_port();
if (isnull(port) || !port) exit(1, "Couldn't find an open port to check.");

for (mu=0; mu<5; mu++)
{

	seqs = make_list();
	for ( i = 0 ; i < 5 ; i ++ )
	{
 		seqs[i] = probe(port:port);
	}

	diffs = make_list();

	for ( i = 1; i < 5 ; i ++ )
	{
	 	diffs[i - 1] = seqs[i] - seqs[i - 1];
 		# Ugly hack, as NASL does not handle unsigned ints
 		if ( diffs[i - 1] < 0 )
			diffs[i - 1] *= -1;
	}

	a = diffs[0];

	for ( i = 1 ; i < 4 ; i ++ )
	{
 		b = diffs[i];
 		if ( a < b )
		{
			c = a;
			a = b;
			b = c;
		}
 		else
		{
			while ( b)
			{
				c = a % b;
				a = b;
				b = c;
			}
		}
	}
	if (mu == 0)
	{
		results = make_list(a);
	}
	else
	{
		results = make_list(results, a);
	}
}


if ( (results[0] == results[1]) &&
	(results[0] == results[2]) &&
	(results[0] == results[3]) &&
	(results[0] == results[4]) )
		security_hole(0);
else
  exit(0, "Host does not appear to be vulnerable.");