CVE-1999-1060
CVSS5.0
发布时间 :1999-02-17 00:00:00
修订时间 :2016-10-17 22:00:46
NMCOS    

[原文]Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.


[CNNVD]Tetrix缓冲区溢出漏洞(CNNVD-199902-032)

        Tetrix TetriNet daemon 1.13.16版本存在缓冲区溢出漏洞。远程攻击者从一个带有长DNS主机名的主机连接到31457端口,导致服务拒绝并且可能执行任意命令。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1060
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1060
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199902-032
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=91937090211855&w=2
(UNKNOWN)  BUGTRAQ  19990217 Tetrix 1.13.16 is Vulnerable
http://www.securityfocus.com/bid/340
(PATCH)  BID  340

- 漏洞信息

Tetrix缓冲区溢出漏洞
中危 缓冲区溢出
1999-02-17 00:00:00 2005-10-20 00:00:00
远程※本地  
        Tetrix TetriNet daemon 1.13.16版本存在缓冲区溢出漏洞。远程攻击者从一个带有长DNS主机名的主机连接到31457端口,导致服务拒绝并且可能执行任意命令。

- 公告与补丁

        The following patch should be applied to the tetrinet source:
        ----------------------------------snip snip-------------------------------
        diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c
        --- tetrinetx-1.13.16.orig/src/main.c Thu Dec 24 00:24:50 1998
        +++ tetrinetx-1.13.16/src/main.c Sun Feb 14 16:22:45 1999
        @@ -2561,7 +2562,7 @@
        /* Someone has just connected. So lets answer them */
        void net_telnet(struct net_t *n, char *buf)
        {
        - unsigned long ip; int k,l; char s[121]; char strg[121];
        + unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];
        char n1[4], n2[4], n3[4], n4[4];
        struct channel_t *chan, *ochan;
        struct net_t *net;
        diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h
        --- tetrinetx-1.13.16.orig/src/main.h Thu Dec 24 00:24:50 1998
        +++ tetrinetx-1.13.16/src/main.h Sun Feb 14 16:19:06 1999
        @@ -48,9 +48,8 @@
        #define SERVERBUILD "16" /* What build we are at */
        #define NICKLEN 30 /* Maximum length of Nickname */
        #define VERLEN 10 /* Maximum length of Tetrinet version */
        -#define UHOSTLEN 30 /* Maximum length of Hostname */
        +#define UHOSTLEN 256 /* Maximum length of Hostname */
        #define TEAMLEN NICKLEN /* Maximum length of teamname */
        -/*#define MAXNET 80*/ /* Maximum network sockets */
        #define MAXWINLIST 100 /* Maximum entries on Winlist */
        #define TELNET_PORT 31457 /* Telnet port to listen on */
        #define QUERY_PORT 31456 /* Query port to listen on */
        diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c
        --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998
        +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999
        @@ -250,15 +250,17 @@
        unsigned long ip;
        {
        struct hostent *hp; unsigned long addr=ip;
        - unsigned char *p; static char s[121];
        -/* alarm(10);*/
        + unsigned char *p; static char s[UHOSTLEN];
        +
        hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/
        if (hp==NULL) {
        p=(unsigned char *)&addr;
        sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);
        return s;
        }
        - strcpy(s,hp->h_name); return s;
        + strncpy(s,hp->h_name,(UHOSTLEN-1));
        + s[strlen(s)]='\0';
        + return s;
        }
        /* short routine to answer a connect received on a socket made previously
        ----------------------------------snip snip-------------------------------

- 漏洞信息

9833
Tetrix TetriNet Long DNS Hostname Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Tetrix TetriNet. The daemon fails to perform proper bounds checking resulting in a buffer overflow. By connecting to port 31457 with a hostname containing 122 characters or more, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

1999-02-17 Unknow
1999-02-17 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Tetrix Buffer Overflow Vulnerabaility
Boundary Condition Error 340
Yes Yes
1999-02-17 12:00:00 2009-07-11 12:16:00
First posted to BugTraq by Steven Hodges <nsn@RAW.VELOWEB.COM> on February 17, 1999.

- 受影响的程序版本

Tetrinet Tetrinet 1.31.16

- 漏洞讨论

There is a buffer overflow in the Tetrinet daemon, Tetrix, which occurs when you connect to port 31457 with a hostname longer than 122 characters.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

The following patch should be applied to the tetrinet source:

----------------------------------snip snip-------------------------------

diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c

--- tetrinetx-1.13.16.orig/src/main.c Thu Dec 24 00:24:50 1998

+++ tetrinetx-1.13.16/src/main.c Sun Feb 14 16:22:45 1999

@@ -2561,7 +2562,7 @@

/* Someone has just connected. So lets answer them */

void net_telnet(struct net_t *n, char *buf)

{

- unsigned long ip; int k,l; char s[121]; char strg[121];

+ unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];

char n1[4], n2[4], n3[4], n4[4];

struct channel_t *chan, *ochan;

struct net_t *net;

diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h

--- tetrinetx-1.13.16.orig/src/main.h Thu Dec 24 00:24:50 1998

+++ tetrinetx-1.13.16/src/main.h Sun Feb 14 16:19:06 1999

@@ -48,9 +48,8 @@

#define SERVERBUILD "16" /* What build we are at */

#define NICKLEN 30 /* Maximum length of Nickname */

#define VERLEN 10 /* Maximum length of Tetrinet version */

-#define UHOSTLEN 30 /* Maximum length of Hostname */

+#define UHOSTLEN 256 /* Maximum length of Hostname */

#define TEAMLEN NICKLEN /* Maximum length of teamname */

-/*#define MAXNET 80*/ /* Maximum network sockets */

#define MAXWINLIST 100 /* Maximum entries on Winlist */

#define TELNET_PORT 31457 /* Telnet port to listen on */

#define QUERY_PORT 31456 /* Query port to listen on */

diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c

--- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998

+++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999

@@ -250,15 +250,17 @@

unsigned long ip;

{

struct hostent *hp; unsigned long addr=ip;

- unsigned char *p; static char s[121];

-/* alarm(10);*/

+ unsigned char *p; static char s[UHOSTLEN];

+

hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/

if (hp==NULL) {

p=(unsigned char *)&addr;

sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);

return s;

}

- strcpy(s,hp->h_name); return s;

+ strncpy(s,hp->h_name,(UHOSTLEN-1));

+ s[strlen(s)]='\0';

+ return s;

}

/* short routine to answer a connect received on a socket made previously

----------------------------------snip snip-------------------------------

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站