CVE-1999-0193

Step 1: Target Identification: Identify vulnerable Ascend or 3Com router(s) on the network. This can be achieved through network scanning and device fingerprinting.

Step 2: Packet Crafting: Construct a TCP packet with a zero-length TCP option. This involves setting the TCP option length field to zero while including the option in the packet.

Step 3: Packet Delivery: Send the crafted TCP packet to the target router's listening port (typically a port used for network management or control).

Step 4: Vulnerability Trigger: The router processes the malformed packet, triggering the vulnerability within the TCP/IP stack.

Step 5: Denial of Service: The router crashes or reboots due to the processing error, resulting in a DoS condition.

The vulnerability stems from a flaw in how Ascend and 3Com routers handle TCP options. Specifically, the routers fail to properly validate the length of a TCP option before processing it. Sending a TCP packet with a zero-length option likely triggers an error condition within the router's TCP/IP stack. This could manifest as an attempt to dereference a null pointer, an out-of-bounds memory access (potentially a buffer overflow), or an unexpected state transition. The lack of proper input validation allows a malformed packet to cause a crash, leading to a reboot and a DoS. The root cause is a missing or inadequate check on the length field of the TCP option, leading to a vulnerability that can be triggered by a simple, crafted packet.