Vulnerabilities > CVE-2003-0108 - Denial Of Service vulnerability in TCPDump Malformed ISAKMP Packet
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Exploit-Db
description | TCPDump 3.x Malformed ISAKMP Packet Denial Of Service Vulnerability. CVE-2003-0108. Dos exploit for linux platform |
id | EDB-ID:22294 |
last seen | 2016-02-02 |
modified | 2003-03-01 |
published | 2003-03-01 |
reporter | The Salvia Twist |
source | https://www.exploit-db.com/download/22294/ |
title | TCPDump 3.x Malformed ISAKMP Packet Denial of Service Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-255.NASL description Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets. last seen 2020-06-01 modified 2020-06-02 plugin id 15092 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15092 title Debian DSA-255-1 : tcpdump - infinite loop code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-255. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15092); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-0380", "CVE-2003-0108"); script_bugtraq_id(4890, 6974); script_xref(name:"DSA", value:"255"); script_name(english:"Debian DSA-255-1 : tcpdump - infinite loop"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-255" ); script_set_attribute( attribute:"solution", value: "Upgrade the tcpdump packages. For the stable distribution (woody) these problems have been fixed in version 3.6.2-2.3. The old stable distribution (potato) does not seem to be affected by these problems." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"tcpdump", reference:"3.6.2-2.3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-027.NASL description A vulnerability was discovered by Andrew Griffiths and iDEFENSE Labs in the tcpdump program. By sending a specially crafted network packet, an attacker is able to to cause tcpdump to enter an infinite loop. In addition, the tcpdump developers found a potential infinite loop when tcpdump parses malformed BGP packets. A buffer overflow was also discovered that can be exploited with certain malformed NFS packets. last seen 2020-06-01 modified 2020-06-02 plugin id 14011 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14011 title Mandrake Linux Security Advisory : tcpdump (MDKSA-2003:027) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:027. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14011); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1350", "CVE-2003-0093", "CVE-2003-0108", "CVE-2003-0145"); script_xref(name:"MDKSA", value:"2003:027"); script_name(english:"Mandrake Linux Security Advisory : tcpdump (MDKSA-2003:027)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered by Andrew Griffiths and iDEFENSE Labs in the tcpdump program. By sending a specially crafted network packet, an attacker is able to to cause tcpdump to enter an infinite loop. In addition, the tcpdump developers found a potential infinite loop when tcpdump parses malformed BGP packets. A buffer overflow was also discovered that can be exploited with certain malformed NFS packets." ); script_set_attribute( attribute:"solution", value: "Update the affected libpcap0, libpcap0-devel and / or tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpcap0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpcap0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libpcap0-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libpcap0-devel-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"tcpdump-3.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpcap0-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpcap0-devel-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"tcpdump-3.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpcap0-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpcap0-devel-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"tcpdump-3.7.2-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-085.NASL description Updated tcpdump packages are available to fix a denial of service vulnerability in tcpdump. [Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES and Red Hat Enterprise Linux WS Tcpdump is a command-line tool for monitoring network traffic. The ISAKMP parser in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop. Users of tcpdump are advised to upgrade to these errata packages which contain a patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12375 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12375 title RHEL 2.1 : tcpdump (RHSA-2003:085) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:085. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12375); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0108"); script_xref(name:"RHSA", value:"2003:085"); script_name(english:"RHEL 2.1 : tcpdump (RHSA-2003:085)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tcpdump packages are available to fix a denial of service vulnerability in tcpdump. [Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES and Red Hat Enterprise Linux WS Tcpdump is a command-line tool for monitoring network traffic. The ISAKMP parser in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop. Users of tcpdump are advised to upgrade to these errata packages which contain a patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0108" ); # http://www.idefense.com/advisory/02.27.03.txt script_set_attribute( attribute:"see_also", value:"https://www.accenture.com/us-en/service-idefense-security-intelligence" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:085" ); script_set_attribute( attribute:"solution", value:"Update the affected arpwatch, libpcap and / or tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arpwatch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/07"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:085"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"arpwatch-2.1a11-12.2.1AS.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libpcap-0.6.2-12.2.1AS.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"tcpdump-3.6.2-12.2.1AS.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / tcpdump"); } }
NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_0015.NASL description The remote host is missing the patch for the advisory SUSE-SA:2003:0015 (tcpdump). The network traffic analyzer tool tcpdump is vulnerable to a denial-of- service condition while parsing ISAKMP or BGP packets. This bug can be exploited remotely by an attacker to stop the use of tcpdump for analyzing network traffic for signs of security breaches or alike. Another bug may lead to system compromise due to the handling of malformed NFS packets send by an attacker. Please note, that tcpdump drops root privileges right after allocating the needed raw sockets. There is no temporary fix known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13779 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13779 title SUSE-SA:2003:0015: tcpdump code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:0015 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13779); script_bugtraq_id(6974); script_version ("1.15"); script_cve_id("CVE-2003-0108"); name["english"] = "SUSE-SA:2003:0015: tcpdump"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2003:0015 (tcpdump). The network traffic analyzer tool tcpdump is vulnerable to a denial-of- service condition while parsing ISAKMP or BGP packets. This bug can be exploited remotely by an attacker to stop the use of tcpdump for analyzing network traffic for signs of security breaches or alike. Another bug may lead to system compromise due to the handling of malformed NFS packets send by an attacker. Please note, that tcpdump drops root privileges right after allocating the needed raw sockets. There is no temporary fix known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2003_015_tcpdump.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the tcpdump package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"tcpdump-3.4a6-375", release:"SUSE7.1") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"tcpdump-3.4a6-376", release:"SUSE7.2") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"tcpdump-3.6.2-321", release:"SUSE7.3") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"tcpdump-3.6.2-322", release:"SUSE8.0") ) { security_warning(0); exit(0); } if ( rpm_check( reference:"tcpdump-3.7.1-198", release:"SUSE8.1") ) { security_warning(0); exit(0); } if (rpm_exists(rpm:"tcpdump-", release:"SUSE7.1") || rpm_exists(rpm:"tcpdump-", release:"SUSE7.2") || rpm_exists(rpm:"tcpdump-", release:"SUSE7.3") || rpm_exists(rpm:"tcpdump-", release:"SUSE8.0") || rpm_exists(rpm:"tcpdump-", release:"SUSE8.1") ) { set_kb_item(name:"CVE-2003-0108", value:TRUE); }
Redhat
advisories |
|
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:18412 |
last seen | 2017-11-19 |
modified | 2004-04-05 |
published | 2004-04-05 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-18412 |
title | tcpdump ISAKMP Identification payload Integer Overflow Exploit |
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000629
- http://marc.info/?l=bugtraq&m=104637420104189&w=2
- http://marc.info/?l=bugtraq&m=104678787109030&w=2
- http://www.debian.org/security/2003/dsa-255
- http://www.idefense.com/advisory/02.27.03.txt
- http://www.iss.net/security_center/static/11434.php
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
- http://www.novell.com/linux/security/advisories/2003_015_tcpdump.html
- http://www.redhat.com/support/errata/RHSA-2003-032.html
- http://www.redhat.com/support/errata/RHSA-2003-085.html
- http://www.redhat.com/support/errata/RHSA-2003-214.html
- http://www.securityfocus.com/bid/6974