CVE-1999-0015

Step 1: Fragmentation: The attacker crafts a large IP packet and fragments it into multiple smaller packets. Each fragment contains a portion of the original data and includes information about its position (offset) within the original packet.

Step 2: Malformed Offsets: The attacker intentionally manipulates the offset fields in the fragmented packets. This can involve overlapping fragments, incorrect ordering, or other inconsistencies.

Step 3: Packet Delivery: The attacker sends the malformed fragmented packets to the target system.

Step 4: Reassembly Failure: The target system attempts to reassemble the fragmented packets. Due to the malformed offsets, the reassembly process fails, leading to memory corruption, infinite loops, or resource exhaustion.

Step 5: Denial of Service: The target system becomes unresponsive or crashes, resulting in a denial of service.

The vulnerability lies in the way some older operating systems reassemble fragmented IP packets. Specifically, the flaw occurs when the offset fields within the fragmented packets are manipulated to overlap or create inconsistencies. This causes the target system to allocate memory incorrectly or enter an infinite loop during packet reassembly, ultimately leading to a system crash or resource exhaustion. The root cause is a lack of proper validation and sanitization of the fragment offset and fragment length fields within the IP header, leading to a logic error during packet reassembly. This is not a buffer overflow but rather a fragmentation overlap issue.