CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 195 | CVE-1999-0195 | Candidate | Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1. | Modified (19991130-01) | ACCEPT(2) Balinsky, Shostack | MODIFY(1) Frech | NOOP(3) Baker, Northcutt, Wall | REVIEWING(2) Christey, Levy | Frech> XF:rpcbind-spoof | Christey> CVE-1999-0195 = CVE-1999-0461 ? | If this is approved over CVE-1999-0461, make sure it gets | XF:pmap-sset | View |
| 1768 | CVE-2000-0190 | Candidate | AOL Instant Messenger (AIM) client allows remote attackers to cause a denial of service via a message with a malformed ASCII value. | Proposed (20000322) | ACCEPT(2) Blake, Cole | MODIFY(1) Frech | NOOP(3) Baker, LeBlanc, Ozancin | REVIEWING(2) Levy, Wall | Frech> XF:aolim-malformed-ascii-dos(4877) | View |
| 648 | CVE-1999-0667 | Candidate | The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service. | Proposed (19991222) | ACCEPT(2) Blake, Cole | MODIFY(1) Stracener | NOOP(2) Baker, Christey | REJECT(1) Frech | Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP | Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp: | CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one | network to modify ARP entries on another connected network. | CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries. | Will reconsider if reference provides enough information to render a | distinction. | Christey> This particular vulnerability was exploited by an attacker | during the ID"Net IDS test network exercise at the SANS | Network Security "99 conference. The attacker adapted a | publicly available program that was able to spoof another | machine on the same physical network. | | See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2 | for the Bugtraq reference that Tom Stracener suggested. | This generated a long thread on Bugtraq in 1997. | Blake> I"ll second Tom"s request to add the reference, it"s a very | posting good and the vulnerability is clearly derivative of | the work. | | (I do recall talking to the guy and drafting a description.) | View |
| 344 | CVE-1999-0345 | Candidate | Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems. | Proposed (19990728) | ACCEPT(2) Blake, Cole | MODIFY(2) Frech, Wall | NOOP(4) Bishop, Landfield, Northcutt, Ozancin | RECAST(1) Meunier | REJECT(4) Armstrong, Baker, LeBlanc, Levy | REVIEWING(1) Christey | Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and | Windows NT systems. | Reference: Q154174. | Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death. | It is a modified teardrop 2 attack. | Frech> XF:nt-ssping | ADDREF XF:ping-death | ADDREF XF:teardrop-mod | ADDREF XF:mpeix-echo-request-dos | Christey> I can"t tell whether the Jolt exploit at: | | http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net | | is exploiting any different flaw than teardrop does. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Baker> Jolt (original) is basically just a fragmented oversized ICMP that | kills Win boxes ala Ping of Death. | Teardrop is altering the offset in fragmented tcp packets so that the | end of subsequent fragments is inside first packet... | Teardrop 2 is UDP packets, if I remember right. | Seems like Jolt (original, not jolt 2) is just exploit code that | creates a ping of death (CVE 1999-0128) | Levy> I tend to agree with Baker. | CHANGE> [Armstrong changed vote from REVIEWING to REJECT] | Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request. | Christey> See the SCO advisory at: | http://www.securityfocus.com/templates/advisory.html?id=1411 | which may further clarify the issue. | LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn"t the same | thing as ping of death - POD was an oversized ICMP packet, Jolt froze | Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes. | Teardrop and teardrop2 were related attacks (usually ICMP frag attacks), | but each of these is a distinct vulnerability, affected a discrete group | of systems, and should have distinct CVE numbers. CVE entries should be | precise as to what the problem is. | Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has | characteristics of Ping of Death AND teardrop, but it doesn"t do | either exactly. Moreover, it sends a truncated IP fragment. I | disagree with Armstrong; jolt uses overlapping fragments. It"s not a | simple ping of death either. It may be that the author"s intent was | to construct a "super attack" somehow combining elements of other | vulnerabilities to try to make it more potent. In any case it | succeeded in confusing the CVE board :-). | | I notice that Jolt uses echo replies (type 0) instead of echo | requests (to get past firewalls?). Jolt is peculiar in that it also | sends numerous overlapping fragments. The "Pascal Simulator" :-) says | it sends: | | - 172 fragments of length 400 with offset starting at 5120 and | increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)), | which eventually results in sending fragments inside an already | covered area once ((n* 380) >> 3) is greater than 5120, which occurs | when n is reaches 108. This would look a bit like TearDrop if | fragments were reassembled on-the-fly. | | - 1 fragment such that the total length of all the fragments | is greater than 65535 (my calculation is 172*380 + 418 = 65778; the | comment about 65538 must be wrong). The last packet is size 418 | according to the IP header but the buffer is of size 400. The sendto | takes as argument the size of the buffer so a truncated packet is | sent. | | So, I am not sure if the problem is because the last packet | doesn"t extend to the payload it says it has or because the total size | of all fragments is greater than 65535. The author says it may take | more than one sending, so perhaps this has to do with an incorrect | error handling and recovery. One would need to experiment and isolate | each of those characteristics and test them independently. Inasmuch | as each of those things is likely a different vulnerability, then I | agree with Leblanc that this entry should be split. I"ll try that if | I ever get bored. Jolt 2 should also have a different entry (see | below). | | Jolt 2 runs in an infinite loop, sending the same fragmented | IP packet, which can pretend to be "ICMP" or "UDP" data; however this | is meaningless, as it"s just a late fragment of an IP packet. The | attack works only as long as packets are sent. According to | http://www.securityfocus.com/archive/1/62170 the packets are | truncated, and would overflow over the 65535 byte limit, which is | similar to Jolt. Note that Jolt does send that much data whereas | jolt2 doesn"t. Since jolt2 is simpler and narrower than jolt, and it | has weaker consequences, I believe that it"s a different | vulnerability. | | "Jolt 2 vulnerability causes a temporary denial-of-service in | Windows-type OSes" would be a title for it. | View |
| 665 | CVE-1999-0684 | Candidate | Denial of service in Sendmail 8.8.6 in HPUX. | Proposed (19991214) | ACCEPT(2) Blake, Cole | MODIFY(3) Frech, Prosser, Stracener | NOOP(1) Baker | REJECT(1) Christey | Stracener> Add Ref: CIAC: J-040 | Prosser> Might change description to indicate DoS caused by multiple connections | Christey> Andre"s right. This is a duplicate of CVE-1999-0684. | Frech> Without further information and/or references, this issue looks like an | ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail | 8.8.6 related to accepting connections. | | (was REJECT) | XF:hp-sendmail-connect-dos | View |
Page 815 of 20943, showing 5 records out of 104715 total, starting on record 4071, ending on 4075
